MDfiJTY 


■ir.  4 


THE  RESOURCE  F<6r  SE' 


PRICELi 


CSOs  have  a  key  role 
to  play  in  preventing 
and  detecting  fraud. 
Here's  how  to  help 
stop  the  insanity. 

PAGE  34 


January  2003  $9.00 
www.csoonline.com 


As  the  world  leader  in  Internet  security,  Check  Point’s™ 
integrated  security  solutions  Connect,  Protect,  Manage 
and  Accelerate  the  network  security  of  more  than  100 
million  users  worldwide. 


CONNECT.  Leading  global  companies  rely  on  Check  Point  VPN  solutions  to 
connect  employees  and  offices  everywhere.  Regardless  of  where  business 
happens  — even  in  the  most  remote  locations  — people  and  companies  are 
securely  connected  to  their  critical  information. 


PROTECT.  Check  Point’s  fail-safe  firewall  infrastructure  provides  the  highest 
level  of  security  for  every  network  from  the  edge  to  the  core.  Our  authentication, 
access  control,  and  content  security  features  have  become  the  trusted  global 
industry  standard. 


MANAGI  Check  Point’s  revolutionary  Security  Management  Architecture 
(SMART™)  lets  you  instantly  deploy  and  distribute  security  policies  regardless  of 
user  location.  All  aspects  of  network  security  can  be  defined  and  managed  from 
a  single  console  dramatically  reducing  your  total  cost  of  ownership. 


ACCELERATE.  Check  Point’s  VPN  and  firewall  solutions  deliver  wire-speed 
performance  up  to  three  times  faster  than  other  network  solutions.  Now  you  can 
maintain  absolute  network  security  without  sacrificing  the  performance  of 
business-critical  applications  or  bogging  down  your  network. 

Check  Point" 


Find  out  the  latest  in  Internet  security  by  downloading 
our  white  paper  “Building  Secure  Wireless  LANs”  at 
www.checkpoint.com/wireless/cso  or  call  (866)  488-6686. 


We  Secure  the  Internet. 


6)2002  Check  Point  Software  Technologies  Ltd.  All  rights  reserved. 


■ 


Protection  in  every  location. 
Managed  and  integrated 
from  one  location. 


Symantec 


Introducing  the  Symantec ™  Security  Management  System. 

For  the  first  time,  security  data  from  multiple  locations , 
multiple  tiers  —  even  multiple  brands  of  information 
security  products  —  can  be  managed  with  a  single  system, 
at  a  single  console.  Which  means  that  enterprise-wide 
policy  compliance  is  finally  a  real  possibility.  It  also  means 
that  because  you've  simplified  your  environment,  you  can 
reduce  your  operating  costs.  And,  most  importantly  you 
can  now  be  more  responsive  to  new  and  emerging  threats, 
eliminating  them  before  they  do  damage.  It’s  part  of  a 
revolution  in  information  security  a  revolution  that  offers 
better  protection,  efficient  management  and  ensured  business 
continuity  for  your  entire  enterprise.  For  our  latest  White 
Paper,  “Managing  Security  Incidents  in  the  Enterprise,”  visit 
http://ses.symantec.com/USA659A8VE  or  call  800-/45-6054. 


Symantec  Security  Management  Console  ^  Symantec 

rT* 


Issscars 


mmmmm 


January  2003 

VO  L  .  2  ,  N  0 . 1 


22  Help  Wanted 

SECURITY  COUNSEL  MetLife  CSO  Robert  Cordier 
answers  readers’  questions  about  security  recruiting. 


24  Home  Is  Where  the  Hard  Drive  Is 

FLASHPOINT  Designing  an  infrastructure  to  be 
compatible  with  many  legal  environments  can  ward 
off  privacy  headaches.  By  David  H.  Holtzman 


60  Taming  the  Wolf  in  You 

CSO  UNDERCOVER  Technology  is  only  skin  deep.  When 
it  comes  to  a  solid  security  approach,  it’s  what’s  on  the 
inside  that  counts.  By  Anonymous 


26  It’s  a  Small  World  After  All 

THE  CSO  ROLE  Bob  Littlejohn  heads  up  Avon’s 
worldwide  effort  to  keep  the  business  up  and  running 
and  the  employees  safe.  By  Simone  Kaplan 


DEPARTMENTS 

13  Briefing 

CSOs  for  hire;  Homeland  spending  plans;  Power  of 
disclosure;  Combating  turbulence. 


34  cover  story  The  Fraud  Squad 

FINANCIAL  CRIME  Whether  it’s  done  by  customers, 
employees  or  organized  criminals,  fraud  takes  a  bite 
out  of  business’s  bottom  line.  Here’s  what  CSOs  can  do 
about  it.  By  Daintry  Duffy 

44  Pillars  of  Your  Community 

EMPLOYEE  EDUCATION  To  err  is  human.  But  can  you 
really  forgive  the  security  disasters  a  careless  employee 
might  bring  to  your  company?  Here’s  how  to  teach 
users  that  they’re  your  company’s  best  defense  against 
information  security  breaches.  By  Meg  Mitchell  Moore 

50  Cleared  for  Takeoff 

NATIONAL  TRANSPORTATION  James  Loy,  head  of  the 
Transportation  Security  Administration,  says  that  he  can 
safeguard  the  airlines  and  their  passengers,  now  that 
Congress  has  said  he  can  unpack.  By  Sarah  D.  Scalet 


18  Wonk 

Footing  the  bill:  Terrorism  insurance  is  expensive.  Will 
the  insurance  industry  pass  the  buck  to  the  taxpayers? 
By  Julie  Hanson 

57  Machine  Shop 

Wireless  networks  are  all  the  rage.  But  do  you  know 
how  to  protect  your  data  from  eavesdropping  hackers? 
By  Simson  Garfinkel 

TOOLBOX:  Masking  PINs;  Luminous  bar  codes. 

62  Debriefing 

Junk  food  for  thought. 


cover  photo  by  IN  EVERY  ISSUE  6  CSOonline.com  8  Letter  from  the  Editor  10  Advisers  61  Index 

Michele  Asselin 


4  www.csoonline.com  January  2003 


Protect  your  business  with  eTrust  . 
For  more  information,  visit 

ca.com/etrust/antivirus 


eTrust™  Security  Solutions 


Computer  Associates™ 


©  2002  Computer  Associates  International,  Inc.  (CA).  All  rights  reserved 


ajjaflig*- 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


at 

.com 


Get  Alarmed 

Read  informed  opinions  on  security  and 
privacy  topics  from  CSO’s  outspoken 
experts.  Senior  Editor  Scott  Berinato  and 
Senior  Writer  Sarah  D.  Scalet  take  turns 
probing  the  issues  that  affect  you  the  most. 
They’ll  make  you  think,  and  maybe  even 
smile.  Read  ALARMED  twice  a  month. 
www.csoonline.com/alarmed 

Free  Newsletters 

CSO  newsletters  delivered  right  to  your 
inbox  every  month— for  free.  CSO  UPDATE 
highlights  the  most  recent  content  posted 
on  CSOonline.  CSO  WANTED  UPDATE 
alerts  you  to  the  latest  security- related  job 
openings  in  our  database.  It  takes  only  a 
few  seconds  to  subscribe. 
www.csoonline.com/newsletters 

Career  Adviser 

How  do  you  boost  your  career  as 
a  CSO  when  security  is  not  part 
of  your  company’s  cult  ure?  Ask 

our  CAREER  ADVISER  Joyce 
Brocaglia.  She  has  an  answer  for 
that  question  and  many  others. 

www.csoonline.com/adviser 

More  Career  Resources 

Jump-start  or  advance  your  career  with 
postings  in  our  JOB  CENTER  and  the  list¬ 
ings  in  our  EVENT  CALENDAR.  Want  to 
know  who  is  where?  Read  MOVERS  & 

SHAKERS,  www.csoonline.com/career 

Exclusive  Research 

Survey  results  of  CSO  SENSOR  reveal  that 
organizations  increasingly  view  security  as 
strategic.  Read  the  details  online. 

www.csoonline.com/csoresearch 


Only  Online 

Check  out  the  fresh  content  on  CSOonline 
every  weekday.  Here’s  a  rundown  of  what 
you'll  find: 

MONDAY 

TALK  BACK  Is  it  wrong  to  guess  at  URLs 
you  were  never  meant  to  find?  Visit  each 
week  to  share  your  opinion  on  this  and 
other  controversial  security'  topics. 

www.csoonline.com/talkback 

TUESDAY 

SECURITY  CHECK  Quick  and  easy.  Vote 
in  our  weekly  security  poll.  You  can  also 
check  the  results  of  previous  polls  such  as 
“How  often  do  you  or  your  organization’s 
CSO  meet  with  the  CIO?”  A  majority  of 
respondents  said  they  rarely  meet  with  the 
CIO.  www.csoonline.com/poll 

WEDNESDAY 

ANALYST  REPORTS  We’ve  gathered 
research  and  analysis  from  respected 
sources  and  put  it  in  one  convenient  pack¬ 
age.  Read  about  best  practices  for  firewall 
deployments  or  worst  practices  in  customer 
privacy  management. 
www.csoonline.com/analyst 

THURSDAY 

METRICS  According  to  a  recent  survey, 

80  percent  of  companies  consider  identity 
management  a  priority.  Visit  each  week  for 
the  surveys  and  statistics  that  you  can  count 

on.  www.csoonline.com/metrics 

FRIDAY 

POLITICS  &  POLICY  Read  the  full  text  of 
bills  before  the  House  and  Senate,  and 
blurbs  about  other  legislative  and  political 
activity— inside  the  Beltway  and  out. 

www.csoonline.com/politics 


President  Walter  Manninen 
Group  Publisher  Gary  J.  Beach 
Publisher  Bob  Bragdon 

EDITORIAL 

Editor  in  Chief  Lew  McCreary 
Executive  Editor  Derek  Slater 
Managing  Editor  Elaine  M.  Cummings 
Managing  Editor,  Production  Cheryl  R.  Asselin 
Senior  Editors  Scott  Berinato,  Daintry  Duffy 
Research  Editor  Lorraine  Cosgrove  Ware 
Senior  Writer  Sarah  D.  Scalet 
Staff  Writer  Simone  Kaplan 
Copy  Chief  TomWailgum 
Asst.  Managing  Editor,  Production  Kathleen  S.  Carr 

Copy  Editors  Kelli  A.  Gauthier  (Assoc.), 

Emily  S.  Henderson,  Sarah  Johnson  (Assoc.) 

Research  Manager  Lynne  Z,  Rigolini 
Editorial  Resource  Manager  Carol  Zarrow 
Editorial  Assistants  Daniel  J.  Horgan,  Joe  Sullivan 

Contributors  Joris  Evers,  Simson  Garfinkel,  David 
H.  Holtzman,  Meg  Mitchell  Moore,  Paul  Roberts 

Editorial  Operations  Specialist  Julie  Hanson 

DESIGN 

Executive  Director,  Art  and  Design  Mary  Lester 
Art  Director  Steve  Traynor 
Senior  Designer  Chandra  Tallman 
Design  Group  Assistant  Rachel  Barnett 

WEBSITE 

Senior  VP/General  Manager,  Online  Tim  Horgan 
Web  Editorial  Director  Art  Jahnke 
Executive  Web  Editor  Martha  Heller 
Web  Editor  Sandy  Kendall 
Web  Writer  Jon  Surmacz 
Online  Technology  Director  Dagmar  Eiben 
Senior  Web  Developer  Ellen  Morey 
Online  Research  Manager  Kathleen  Kotwica 
Audience  Development  Manager  Andrew  Burrell 
Web  Developers  Diane  Chen,  Shannon  Macdonald 
Online  Content  Researcher  Tara  Gillet-Liloia 
Designer  Graham  White 


Founder  Joseph  L.  Levy 

INTERNATIONAL  DATA  GROUP 

Board  Chairman  Patrick  J.  McGovern 
CEO  Pat  Kenealy 


6  www.csoonlme.com  January  2003 


BPA  INTERNATIONAL  MEMBERSHIP 

Applied  for  August  2002 
©  CXO  Media  Inc. 


No.  2 


Bearing  Point  On 
The  Get  It  Done  Culture. 


Our  clients’  success  drives 
our  own  success.  It’s  what  they 
expect  and  deserve.  It’s  part 
of  our  company’s  foundation 
that’s  deeply  rooted  in  getting  the 
job  done  right.  At  BearingPoint — 
formerly  KPMG  Consulting,  Inc. — 


we  help  our  clients  align  their 
business  and  systems  to  achieve  their 
desired  goals.  With  an  attitude  of 


whatever  it  takes  to  help 
make  our  clients  successful. 
And  help  them  navigate 
through  the  tough  economic 


times.  Because  the  right  information 
brings  knowledge.  Knowledge  is  power. 
Sharing  it  is  empowerment. 


BearingPoint 


Formerly  KPMG  Consulting,  Inc. 

Business  and  Systems  Aligned.  Business  Empowered.” 


STRATEGY,  TRANSFORMATION  &  OPERATIONS  |  CUSTOMER  RELATIONSHIP  MANAGEMENT  |  SUPPLY  CHAIN  MANAGEMENT  |  ENTERPRISE  SOLUTIONS 
INTEGRATION  SERVICES  |  INFRASTRUCTURE  SOLUTIONS  |  EMERGING  TECHNOLOGIES  |  MANAGED  SERVICES 


©  Copyright  2002,  BearingPoint,  Inc.  All  rights  reserved. 


1-866-BRNGPNT  |  www.bearingpoint.com 


Think  Like  a  Perp 


Listening  to  Dennis  Treece,  the  newly  installed  CSO  of 
the  Massachusetts  Port  Authority,  go  on  at  some  length 
about  the  wide  assortment  of  threats  a  port  can  face,  it 


occurs  to  me  that  there  are  certain  likenesses  between  novel  writing  (my  off- 
hours  hobby,  as  it  happens)  and  security  (my  area  of  professional  interest). 
We’re  having  lunch  in  a  hotel  restaurant  overlooking  Boston  harbor  on  a  snowy 
December  midday.  Treece  (about  whom  we’ll  offer  more  in  a  future  issue)  is 
discussing  the  temperature  at  which  liquefied  natural  gas  becomes  volatile  and, 
hence,  apocalyptically  threatening  to  a  densely  populated  harborside  city  like 
Boston.  “We  wouldn’t  let  a  tanker  come  in  to  port  if  the  temperature  were  out 
of  whack.  But  otherwise,  it’s  really  not  all  that  dangerous.”  As  if  on  cue,  a  big 
LNG  tanker,  surrounded  by  an  escort  of  tugs,  Coast  Guard  and  police  and  fire 
department  boats,  enters  the  harbor,  filling  the  vista  beyond  our  table. 

For  Treece— who  oversees  security  for  three  airports,  including  Logan  Inter¬ 
national,  and  the  seaport  infrastructure,  roads  and  bridges— the  work  domain 
is  one  which  he  populates  with  imagined  potential  menaces  that  we  so-called 
normal  people  almost  never  have  to  contemplate.  The  drift  of  our  conversation 
suggests  to  me  that  one  little-noted  characteristic  of  the  ideal  CSO  might  be  a 
fertile,  vivid  and  twisted  imagination  (which  Treece  seems  to  possess  in  useful 
quantities).  For  a  profession  whose  job  description  is  basically  to  try  to  break 
Murphy’s  Law,  the  goal  would  be  to  outdo  Murphy  in  contemplating  what 
could  go  wrong. 

When  I  point  this  out  to  Treece,  he  laughs.  “I  wish  my  imagination  were 
more  twisted  than  it  is.” 


Developing  this  gift  does  not  come  naturally  or  easily 
to  most  people.  It  requires  learning  to  think  like  a  perp. 
(I  suspect  this  helps  explain  why  some  security  practi¬ 
tioners  are  tempted  to  consider  hiring  “reformed”  hack¬ 
ers,  on  the  theory  that  it  takes  one  to  stop  one.)  One 
reason  so  many  security  people  have  law  enforcement 
or  military  backgrounds  (Treece  is  former  military 
intelligence)  is  that  they  have  long  since  mastered  the 
techniques  of  perp-think.  People  in  business,  though, 
are  not  so  accustomed  to  doing  this.  Bruce  Bonsall, 
CISO  of  MassMutual,  is  quoted  in  this  month’s  cover 
story  on  fraud  prevention  (see  “The  Fraud  Squad,” 

Page  34)  lamenting  how  challenging  it  is  for  employees 
“to  stop  thinking  like  good  honest  people  and  start 
[thinking  like]  the  bad  guys.” 

But  businesses  always  tend  to  cultivate  atmospheres 
of  high-flying  optimism  and  positivity.  As  valuable  as  it 
might  have  been  to  the  CEOs  of  some  now-floundering 
enterprises,  the  ability  to  imagine  disaster  falls  outside 
of  the  approved  spec  for  business  thinking.  Even  when 
businesses  are  only  talking  to  themselves,  the  sky  is 
always  unrealistically  sunny.  Inevitably,  it  falls,  by 
default,  to  a  chosen  few  to  take  that  penetrating,  sober¬ 
ing  look  at  the  dark  side.  And  you’re  it.  So  you’ll  need  to 
continuously  cultivate  that  twisted  imagination  of 
yours.  You  can  practice  by  working  on  that  crime  novel 
you’ve  been  meaning  to  write. 

- Lew  McCrea  ry 
mccreary@cxo.com 


8  www.csoonline.com  January  2003 


PHOTO  BY  WEBB  CHAPPELL 


I 

m 


ft  H 

Wm. 

~ 


. , .  .  .....  w.v,V  •.  ^  .  * V-*"# •  8e 

Aladdin's  eToken  is  strong,  reliable  2-factor  authentication  that  simplifies  your  life  while  securing  your  world. 

Stop  the  memorization  of  awkward  passwords.  Goodbye  sticky  notes.  Vastly  improve  your  organization's  •*  1  1  .  : 

security.  eToken  is  the  smart  card  that  doesn't  need  a  reader  or  a  server.  It  simply  plugs  into  a  USB  port — that  I  O  /H/H  1  r"\ 

makes  eToken  easy  to  deploy  and  really  affordable.  Call  1-800-562-2543  or  go  to  eAladdin.com/eToken  to  Sf  c  WRING. THE  GlOBAl.  VII  I  fifit 

request  a  free  corporate  information  kit  on  how  eToken  can  secure  your  network  and  simplify  your  life.  eAiaddin.com 

.  . 

■  '  n: «)$&&&'  '  .  >  ••  ••  ■  v . 

- -  ■ 


It's  your  digital  identity  organizer. 

Just  one  secure  device  for  all  your  passwords,  keys,  and  certificates. 


YOUR  SECURE  KEY  STORAGE. 

YOUR  SECURE  CERTIFICATE  STORAGE 

YOUR  SECURE  PASSWORD  STORAGE. 

YOUR  SECURE  KEY  GENERATOR. 


YOUR  VPN  ACCESS. 

YOUR  NETWORK  ACCESS. 

YOUR  WEB  ACCESS. 

YOUR  E-MAIL  ACCESS  &  CONFIDENTIALITY. 

YOUR  COMPUTER  BOOT  &  FILES  PROTECTION. 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


CSO  wishes  to  thank  the  following  individuals  for  serving  as 
our  editorial  Board  of  Advisers,  supplying  their  expertise  and 
guidance  to  CSO’ s  editors  * 


CHRIS  CHRISTIANSEN 

Program  Vice  President,  eBusiness 
Infrastructure  and  Security  Software 
IDC 

STEPHEN  E.  CROSS 

Director  and  CEO 
Software  Engineering  Institute  and 
CERT  Coordination  Center 
Carnegie  Mellon  University 

DAVID  CULLINANE 

CISO,  Washington  Mutual 
President,  Information  Systems 
Security  Association 

DOROTHY  DENNING 

Pi’ofessor 

Department  of  Defense  Analysis 
Naval  Postgraduate  School 

DANIEL  E.  GEER  JR. 

CTO,  @Stake 

DAVID  M.  HAGER 

Vice  President,  Network  Security 
and  Disaster  Recovery 
OppenheimerFunds 


JOHN  HARTMANN 

Vice  President  of  Security  and 
Corporate  Services,  Cardinal  Health 

STEVE  KATZ 

President,  Security  Risk  Solutions 

MICKI  KRAUSE 

CISO 

Pacific  Life  Insurance 

BRUCE  SCHNEIER 

CTO,  Counterpane  Internet  Security 

JOHN  TRITAK 

Director 

Critical  Infrastructure  Assurance  Office 

KRIZI  TRIVISANI 

Information  Security  Officer 
The  George  Washington  University 

JAMES  WADE 

CISO,  KeyCorp 
President,  ISC 2 

ROBERT  WEAVER 

Assistant  Special  Agent  in  Charge 
Secret  Service  Electronic  Crimes  Task  Force 
New  York  City 


How  to  Reach  Us 

E-MAIL 

csoletters@cxo.com 

PHONE 

508  872-0080 

FAX 

508  879-7784 

ADDRESS 

CSO  Magazine 

492  Old  Connecticut  Path,  P.0.  Box  9208 
Framingham,  MA  01701-9208 

SUBSCRIBER  SERVICES 

Phone:  866  354-1125 

Fax:  847  564-9002 
E-mail:  cso@omeda.com 

REPRINTS 

Reprints  are  available  by  calling  Reprint  Services 
at  651  582-3834,  or  via  e-mail  at 
csoreprints@reprintservices.com. 

ABOUT  IDG  International  Data  Group  (IDG),' the 
leading  global  provider  of  IT  media,  research, 
conferences  and  events,  informs  more  people 
about  technology  than  any  other  company  in  the 
world.  Offering  the  widest  range  of  media  options, 
IDG  reaches  more  than  120  million  technology 
buyers  in  85  countries  representing  95  percent  of 
worldwide  IT  spending.  IDG  publishes  more  than 
300  newspapers  and  magazines  in  85  countries, 
led  by  the  Computerworid,  Infoworld,  Macworld, 
Network  World,  PC  World  and  CIO  global  prod¬ 
uct  lines.  IDG  offers  online  users  the  largest  net¬ 
work  of  technology-specific  sites  around  the 
world  through  IDG.net  ( www.idg.net ),  a  gateway 
to  IDG's  330  websites  powered  by  more  than 
2,000  journalists  reporting  from  every  continent 
in  the  world.  IDG  also  produces  168  technology- 
related  conferences  and  events,  and  research 
company  IDC  provides  global  market  intelligence, 
analysis  and  forecasts  in  43  countries. 


*Their  participation  does  not  imply  an  endorsement  of  the  magazine’s  contents  or  opinions. 


“Companies  must  look  at  security  as 
a  whole;  you  can’t  divide  national 
and  international  entities.” 

-BOB  LITTLEJOHN,  VICE  PRESIDENT  OF  GLOBAL  SECURITY  FOR  AVON 

(SEE  “IT’S  A  SMALL  WORLD  AFTER  ALL,”  PAGE  26) 


10  www.csoonline.com  January  2003 


PHOTO  BY  ANDREW  KIST 


• ' . ^  >•  r .  y ?•-. .  v,  < . & •. c »* ; 

' 

I  WiiM  : 
;  ;  ;  •  • 
/  ■.'  r;'  '  ',>:X 


You’re  the  king.  Strong.  Safe.  Protected.  Right?  Wrong. 

The  fact  is,  if  your  network  isn’t  protected  by  NctScreen,  you 
could  he  far  from  safe.  You  see,  technological  advances  don’t 
only  occur  in  the  corporate  world.  Predators  - —  inside  and 
outside  your  network  —  have  also  made  leaps  and  bounds. 
Trojan  Horses.  Worms.  Nimda.  Code  Red.  Denial  of  Service 
attacks.  All  emerging  threats  that  many  legacy  security 
solutions  just  can’t  handle. 


NetScreen  can.  NetScreen’s  line  of  purpose-built  security 
systems  and  appliances  has  the  flexibility  and  performance 
to  handle  new  threats.  And  evolve  with  them.  Keeping  not 
only  the  central  site  connected  and  secure,  but  also  your 
wireless  LANs  and  remote  offices.  NetScreen’s  solutions 
offer  integrated  VPN,  firewall  and  network  attack  blocking. 
All  of  which  are  key  to  keeping  predators  under  control. 
And  your  entire  enterprise  out  of  trouble.  F  ind  out  more 
about  securing  your  place  at  the  top.  Download  a  white  paper 
on  protecting  your  network  from  the  new  generation  of 
security  threats  at  www.netscreen.com/ad/na  cs. 


NetScreen * 

Scalable  Security  Solutions 


■  % 

'  fS-J? 


•  • 


CISM  (Certified  Information  Security  Manager™)  is  a  groundbreaking  credential  specifically 
designed  for  information  security  managers.  It  is  intended  for  those  who  must  maintain  a  big-picture 
outlook  by  directing,  crafting  and  overseeing  an  organization’s  information  security.  This  new  creden¬ 
tial  is  brought  to  you  by  Information  Systems  Audit  and  Control  Association® ,  the  organization  that 
has  administered  the  world’s  most  prestigious  IS  audit  credential  for  25  years. 


A  “grandfathering"  process  is  open  to  qualified  individuals  for  a  limited  time. 


CERTIFIED  INFORMATION 
SECURITY  MANAGER™ 


fa . 


If  you. are  interested  in  CISM,  visit  the  ISACA  web  site  at  www.isaca.org/cismcso, 


•  ‘Mm 


and  find  out  how  to  be  a  part  of  a  winning  combination. 


.  .V  »  " 


Some  combinations  are  just  natural  winners.  Like  the  combination  of  your  security 
management  experience  and  ISACA®  ’s  new  information  security  certification,  CISM™. 


YOU  and 


a  WINNING  COMBINATION 


BUSINESS  PARTNERS 
OR  VENDORS 


38% 

HACKERS 


EMPLOYEES 

55% 


COMPUTER  CRIME  Civil  Libertari¬ 
ans  are  in  a  dither  again,  this  time  over  new 
disclosure  provisions  for  Internet  service 
providers  that  are  contained  within  the 
recently  signed  Homeland  Security  Act  (HSA). 

Before  the  ink  was  even  dry  on  President 
Bush's  signature,  Civil  Libertarians  and  legal 
experts  were  sounding  alarms  about  Section 
225  of  the  HSA.  That  section  contains  the  con¬ 
troversial  Cyber  Security  Enhancement  Act 
(CSEA),  initially  introduced  by  Rep.  Lamar 
Smith,  a  Republican  from  Texas. 

Designed  to  strengthen  sentencing  guide¬ 
lines  for  computer  crimes  that  result  in  death 
or  physical  injury  to  others,  the  CSEA  includes 
a  number  of  provisions  that  loosen  disclosure 
laws  for  ISPs  and  other  companies  that  com¬ 
municate  online. 

Previously,  ISPs  and  other  companies  that 
store  electronic  communications  were 


CSO  SECURITY  CHECK 


Which  group  of  fraud 
perpetrators  concerns  you 
most? 


News,  Stats  and  Fast  Facts 

Edited  by  Kathleen  S.  Carr  and  Daintry  Duffy 


Power  of  Disclosure 


A  majority  of  you  confessed  that  employees  are 
your  biggest  fraud  concern.  For  more  on  fraud, 
see  Senior  Editor  Daintry  Duffy’s  story,  ‘‘The 
Fraud  Squad,"  on  Page  34.  To  participate  in 
monthly  CSO  Security  Check  polls,  visit 
www.csoonline.com. 


ILLUSTRATION  BY  JASON  SCHNEIDER 


required  to  disclose  confidential  information 
only  when  presented  with  probable  cause-the 
fourth  amendment  guarantee  that  the  infor¬ 
mation  is  connected  to  a  crime  and  is  likely  to 
be  found  at  the  search  site. 

Under  the  HSA,  however,  companies  can 
disclose  information  based  on  the  good  faith 
belief  of  “an  emergency  involving  danger  of 
death  or  serious  physical  injury  to  any  per¬ 
son"— a  loose  requirement  that  relies  in  this 
case  on  the  discretion  of  the  ISP. 

Brad  Bennett,  communications  director  for 
Rep.  Smith’s  Washington  office,  says  that 
security  officers  shouldn't  be  confused  by  the 
vague  wording  of  the  CSEA. 

“We’re  talking  about  emergency  situa¬ 
tions,"  he  says.  “The  last  thing  we  want  is  for 
something  untoward  to  happen  because  an 
ISP  was  afraid  to  act  based  on  liability.” 

But  Bennett  was  less  clear  on  what  types 
of  situations  should  prompt  CSOs  or  other  IT 
staff  to  report  incidents. 

“CSOs  are  probably  better  qualified  to 
know  when  a  situation  isn’t  right  or  when  they 
should  be  more  vigilant.  They  know  systems 
and  danger  signs,”  Bennett  says. 

Legal  experts  and  Civil  Libertarians  worry 
that  the  murky  language  of  the  law  will 
encourage  government  abuses.  Also  unclear  is 
what  types  of  companies  are  covered  by  the 
new  disclosure  laws. 

Bennett  said  that  only  ISPs  would  be 
affected.  But  Lee  Tien,  senior  staff  attorney  at 
the  Electronic  Frontier  Foundation,  says  the 
new  laws  could  be  applied  to  a  broad  range  of 
companies. 

While  not  compelling  companies  to  divulge 
information,  the  CSEA  is  a  testament  to  the 
shift  in  public  sentiment  about  privacy  that 
has  occurred  since  Sept.  11,  according  to  Tien. 

-Paul  Roberts 


California  Comes  Clean 

PRIVACY  Like  an  earthquake  threatening  a 
seismic  shift,  California  is  a  state  on  the  move. 

It's  only  been  a  few  months  since  a  hacker 
obtained  the  personal  information  of  more  than 
200,000  state  employees,  but  California's  legis¬ 
lature  quickly  retaliated,  passing  Senate  Bill 
1386,  which  expands  protections  for  personal 
data  stored  online. 

The  bill,  which  was  signed  into  law  by  Gov. 
Gray  Davis  in  September,  modifies  the  state’s 
civil  code.  It  requires  government  agencies  and 
private  companies  that  store  confidential  infor¬ 
mation  on  individuals  to  disclose  any  breaches  of 
that  confidentiality  to  the  individuals  affected. 

Personal  information  is  defined  as  a  person’s 
first  and  last  name  obtained  in  any  combination 
with  other  pieces  of  information  such  as  a  Social 
Security  number,  credit  card  number  or  driver's 
license  number,  according  to  the  language  of 
the  bill. 

Notification  of  unauthorized  access  can  come 
in  a  variety  of  forms,  according  to  the  bill.  They 
include  written  notice,  electronic  notification  that 
adheres  to  federal  guidelines  for  electronic 
records  and  signatures,  or  e-mail  notices  and 
public  website  postings  in  cases  where  mass 


January  2003  www.csoonline.com  13 


notifications  are  required. 

Although  the  law  contains  exemp¬ 
tions  for  situations  in  which  notifica¬ 
tion  would  compromise  the  integrity 
of  ongoing  criminal  investigations,  the 
California  law  still  exceeds  federal 
online  privacy  protections,  according 
to  a  statement  published  by  the  Elec¬ 
tronic  Privacy  Information  Center 
(EPIC),  a  public  interest  research 
group  based  in  Washington,  D.C. 

Federal  laws  do  not  mandate  notifi¬ 
cation  when  personal  information  is 
accessed  without  authorization, 

EPIC  says. 

The  new  law  comes  amidst  rising 
concern  about  the  problem  of  identity 
theft.  The  bill’s  authors  note  that 
more  than  1,900  cases  of  identity 
theft  were  reported  in  Los  Angeles 
County  alone  in  2000,  an  increase  of 
more  than  100  percent  from  the  pre¬ 
vious  year. 

The  changes  to  the  California  Civil 
Code  enacted  by  Senate  Bill  1386 
take  effect  on  July  1,  2003. 

-Paul  Roberts 


INTE 


Homeland  Spending  Plans 

CYBERSECURITY  The  Cyber  Security 
Research  and  Development  Act  aims  to  provide  more  than 
$900  million  over  the  next  five  years  to  secure  cyberspace. 
The  bill  flew  through  the  House  and  Senate  and  currently 
awaits  presidential  approval. 


$234m 


$200M 


$150M 


$156m 


$100M 


$lllm 


2003  2004  2005  2006  2007 

SOURCE:  THE  CYBER  SECURITY  RESEARCH  AND  DEVELOPMENT  ACT  (H.R.  3394),  NOV.  12.  2002 


CSOs  for  Hire 


RECRUITING  Now  that  President  Bush  has  given  the  thumbs 
up  to  the  Department  of  Homeland  Security  (DHS),  one  might 
expect  corporate  America  to  start  hiring  security  experts  like  mad. 

But  they're  not.  In  fact, 
despite  all  the  attention  lav¬ 
ished  on  security  during  the 
past  18  months,  the  number 
of  companies  actively  look¬ 
ing  to  fill  CSO/CISO  posi¬ 
tions  has  remained  steady. 

What’s  holding  them  back, 
you  ask?  According  to  exec¬ 
utive  recruiter  Marc  Lewis, 
the  two  fundamental  barriers 
to  more  CSO  hires  continue 
to  be  the  a  paucity  of  quali¬ 
fied  candidates  and  the  lack 
of  clarity  about  the  CSO  role 
and  responsibilities. 

“Right  now  there’s  still 
more  talk  than  action,"  Lewis 
says.  “That’s  partly  due  to 
the  fact  that  a  lot  of  physical 
security  experts  haven't 
been  able  to  absorb  the  chal¬ 
lenges  of  information  secu¬ 
rity  fast  enough  to  become 
viable  candidates  for  CSO 

jobs.”  In  the  case  of  CSO  candidates,  the  dearth  of  experience  runs 
both  ways.  Companies  that  are  focusing  their  search  on  individuals 
with  information  security  backgrounds  are  finding  that  very  few 
candidates  are  also  suited  to  managing  the  physical  side  of  the 
security  equation. 

Lewis  says  he’s  seen  companies  search  specifically  for  a  candi¬ 
date  with  expertise  in  IT  security  but  then  hand  the  person  respon¬ 
sibility  for  physical  security  after  he  is  in  the  door— not  a  recipe  for 
success.  He’s  also  watched  as  reporting  structures  have  shifted 
like  sand  in  a  stiff  breeze.  “It's  very  common  for  CSOs  who  were 
supposed  to  report  to  the  CIO  to  end  up  reporting  to  the  COO  after 
being  handed  responsibility  for  physical  security,”  he  says. 

Of  course,  certain  industry  sectors  have  taken  a  more  active 
approach  to  CSO  hiring,  such  as  airlines,  financial  services  and 
pharmaceuticals,  many  of  whom  had  significant  investments  in 
security  prior  to  2001.  As  for  major  corporations  that  are  still  drag¬ 
ging  their  feet,  the  only  thing  that  will  get  them  to  pick  up  the  pace 
is  direct  personal  or  corporate  experience  with  an  actual  or  poten¬ 
tial  security  threat,  Lewis  says.  Even  having  a  federal  security 
organization  won’t  change  things  immediately.  “It’s  going  to  take 
several  years  for  the  new  DHS  to  become  more  rooted  before  com¬ 
panies  realize  they  have  no  choice  but  to  shore  up  their  own  secu¬ 
rity  infrastructure,”  he  says.  -Simone  Kaplan 


14  www.csoonline.com  January  2003 


ILLUSTRATION  BY  JASON  SCHNEIDER 


FORMER  ISRAELI  SPECIAL  FORCES  COMMANDO  TURNED  SECURITY  CONSULTANT 


graphic]  issue,  but  terrorists  nowadays  are 
international.  They  are  mobile;  they  can 
strike  anywhere,  at  any  time. 

What  advice  do  you  give  on  safe  airline 
travel? 

I  teach  executives  to  make  reservations  at 
the  last  minute  possible  and  to  use  their  ini¬ 
tials  as  opposed  to  their  full  name  or  com¬ 
pany  name.  The  itinerary  should  be  known  to 
very  few  people.  On  a  plane,  the  first-class 
section  is  the  most  visible  and  most  at  risk 
for  an  attack.  My  personal  preference  is  to 
sit  in  the  middle  of  the  plane  one  row  behind 
an  exit  and  not  on  the  aisle.  If  there’s  a  kid¬ 
napping  or  hijacking,  there’s  going  to  be  a 
rescue  attempt,  and  they’ll  be  running  down 
the  aisle  shooting.  There’s  less  likelihood  of 
getting  shot  close  to  a  window.  Also  the  first 
thing  I  do  when  I  board  a  plane  is  walk  all  the 
way  down  the  aisle.  I  examine  the  passen¬ 
gers,  make  eye  contact,  and  if  there’s  some¬ 
body  I  deem  to  be  suspicious,  I  start  up  a 
conversation.  Within  the  first  two  minutes,  I 
will  know  by  how  they  interact  whether  they 


are  really  suspicious.  If  I  suspect  something, 

I  notify  the  flight  crew. 

Are  there  tips  on  selecting  a  hotel  abroad? 

We  recommend  selecting  a  second-  or  third- 
story  room,  because  the  first  floor  is  too 
easy  to  break  into.  But  never  go  higher  than 
the  seventh  floor  because  no  fire  department 
ladder  makes  it  that  high.  Also,  do  not  use 
the  main  lobby  for  all  your  entrances  and 
exits,  familiarize  yourself  with  various  emer¬ 
gency  exits  and  escape  routes. 

What  dangerous  traveling  behaviors  should 
executives  avoid? 

Some  executives  flash  their  cash,  status  and 
nationality— that’s  counterproductive.  Execu¬ 
tives  also  often  frequent  tourist  spots.  If 
there’s  going  to  be  an  attack  against  foreign 
nationals,  it  usually  happens  at  those  loca¬ 
tions,  like  the  recent  event  in  Bali.  On  the  flip 
side,  hotels  that  are  frequented  by  Americans 
usually  have  better  security,  so  it's  a  balanc¬ 
ing  act.  Carefully  select  a  hotel  that  is  secu¬ 
rity  conscious  and  caters  to  Americans.  H 


Combating 

Turbulence 


TRAVEL  SAFETY  CSOs  are  responsi¬ 
ble  for  more  than  the  corporate  information 
assets  and  office  buildings,  they  must  also 
ensure  the  ultimate  safety  of  the  company’s 
executives  when  business  travel  takes  them 
into  dangerous  regions.  Alon  Stivi,  a  former 
Israeli  special  forces  commando  turned  se¬ 
curity  consultant,  is  president  of  Direct  Mea¬ 
sures  International  in  Costa  Mesa,  Calif.  He 
trains  CSOs  and  corporate  executives  like 
Warren  Buffet  on  the  safety  measures  that 
executives  can  take  to  reduce  the  risk  of 
being  targeted  by  terrorists  and  criminals. 


CSO:  Have  the  dangers  of  travel  really  esca¬ 
lated  in  the  past  year  or  is  there  simply  more 
awareness? 

Alon  Stivi:  Both.  Since  9/11,  the  government 
invested  money  to  fortify  the  security  in  air¬ 
ports  and  public  facilities.  But  that  leaves 
the  private  sector  as  the  most  vulnerable 
and  valuable  target.  Terrorists  are  looking 
for  the  soft,  unprotected  targets— the  maxi¬ 
mum  result  for  the  least  tactical  and  finan¬ 
cial  effort.  Terrorists  still  want  visibility  for 
their  attacks.  My  experience  with  the  corpo¬ 
rate  world  is  that  businesses  are  really 
unprepared  for  this  kind  of  threat.  Terrorism 
and  travel  safety  are  new  fields  for  security 
directors. 


Which  geographic  hot  spots  should  business 
travelers  be  wary  of? 

There’s  a  growing  threat  in  the  Far  East. 
There’s  a  fundamentalist,  anti-Western,  anti- 
American  [sentiment].  But,  it’s  not  Christian 
versus  Muslim,  it’s  mostly  a  political  issue. 
These  countries  have  no  democracy,  no  free¬ 
dom,  and  there  is  much  more  protection 
there  for  terrorists.  [Some  high-risk  coun¬ 
tries]  are  the  Philippines,  Indonesia,  Angola, 
Somalia,  Sierra  Leone,  Algeria,  Columbia, 
Peru,  Venezuela  and  certain  areas  of  Mex¬ 
ico— the  kidnapping  capital  of  the  world. 
People  would  like  to  think  it’s  only  a  [geo¬ 


PHOTO  BY  MARK  ROBERT  HALPER 


January  2003  www.csoonline.com  15 


mm 


Pay  It  Forward 

SECURITY  INVESTMENT 
The  Tipping  Point  by  Malcolm  Gladwell 
explored  the  theory  that  everything  from 
shoe  fads  to  the  flu  is  governed  by  “tipping” 
behavior:  If  a  few  influential  people  catch  the 
bug,  adoption  “tips"  and  an  epidemic  begins. 
According  to  a  recent  report  from  The 
Brookings  Institution,  security  works  the 
same  way:  If  key  players  invest  in  security, 
others  will  have  incentive  to  follow,  and  mar¬ 
ket  forces  will  take  over. 

At  least  that’s  what  President  Bush's 
cybersecurity  adviser  Richard  Clarke  is 
expecting  to  happen  with  information  secu¬ 
rity,  and  it’s  the  reason  he’s  not  advocating 
government  regulation  or  tax  incentives. 

But  the  research  from  The  Brookings  Insti¬ 
tution  backs  up  the  opinions  of  more  cynical 
security  experts. 

“In  lots  of  sectors,  the  market  forces 
aren’t  working,”  says  Howard  Kunreuther,  a 
Wharton  School  professor  who  coauthored 
the  study,  “Interdependent  Security:  Impli¬ 
cations  for  Homeland  Security  Policy  and 
Other  Areas."  “When  you  see  that  other 
individuals,  designers  or  users  have  not 
taken  protective  action,  then  the  incentives 
to  invest  in  security  may  be  diminished” 
because  the  actions  (or  inactions)  of  others 
will  still  create  weaknesses. 

Kunreuther  argues  that  tax  incentives,  or 
a  law  requiring  cyberinsurance  for  critical 
infrastructure  companies,  could  make  all 
the  difference.  Then,  he  says,  “you’re  not 
hoping  that  some  market  player  is  the  tip¬ 
ping  point.  You,  the  government,  would  be 
directly  changing  the  incentive  yourself.” 

Howard  Schmidt,  Clarke’s  second  in 
command,  respectfully  disagrees.  “Most  of 
the  major  IT  vendors  have  publicly  come  out 
and  said  that  security  is  the  foremost  thing 
on  their  plate.”  At  non-IT  companies,  he 
says,  “every  indication  we’ve  gotten  from 
the  senior  executives  is  that  they  do  take 
security  seriously.  Obviously  there’s  cyni¬ 
cism  that  this  is  just  talk,  but  I  think  that  the 
government  and  the  people  that  depend  on 
the  critical  infrastructure  won’t  tolerate 
rhetoric.” 

-Sarah  D.  Scalet 


Hi 
£1$ 


51 


0*  # 


liar,  liar 

POLYGRAPHS  Polygraph  testing  may  be 
an  effective  plot  device  in  spy  movies,  but  a 
recent  report  issued  by  the  National 
Research  Council  (an  arm  of  The  National 
Academies)  found  that  when  it  comes  to 
employee  security  screenings,  polygraphs 
are  deeply  flawed.  The  245-page  report  is  the 
result  of  19  months  of  study  by  a  committee 
of  statisticians,  psychologists  and  mathe¬ 
maticians.  The  Department  of  Energy  com¬ 
missioned  the  report  after  embarrassing 
allegations  of  theft  and  espionage  at  its  labs. 

According  to  the  report,  one  of  the  prob¬ 
lems  with  using  polygraphs  to  screen  large 
numbers  of  employees  is  balance.  Test 
administrators  face  a  dilemma  between  two 
unappealing  choices.  “If  you  set  the  threshold 
for  measuring  deception  too  low,  then  many 
truthful  people  will  get  labeled  as  deceptive,” 
says  Stephen  Fienberg,  a  professor  of  statis¬ 


tics  and  social  science  at 
Carnegie  Mellon  University  and 
chairman  of  the  panel.  “If,  on  the 
other  hand,  you  raise  the  bar 
because  you  don’t  want  as  many 
false  positives,  then  too  many 
deceptive  people  will  be  labeled  as 
truthful.” 

This  problem  doesn't  even  factor  in 
the  use  of  countermeasures  by  sub- 
^  jects  to  disguise  false  responses  as 

truth.  Studies  suggest  that  mental  exer¬ 
cises  like  silently  counting  backward  can 
alter  the  physiological  response  to  a 
question. 

While  private  companies  may  not  use 
the  polygraph,  the  government  is  free  to  do 
so,  and  employees  of  companies  with  govern¬ 
ment  contracts  often  have  to  go  through  a 
rigorous  government  screening. 

Unfortunately,  there  is  no  viable  alterna¬ 
tive  to  the  polygraph  at  present.  Researchers 
are  looking  at  technologies  like  fMRI  (func¬ 
tional  magnetic  resonance  imaging)  to  moni¬ 
tor  brain  patterns,  voice  tremor  detection  and 
thermal  imaging,  but  they  won’t  be  ready  to 
replace  the  polygraph  for  years,  if  ever. 

However,  Fienberg  and  his  committee  still 
believe  that  some  good  can  come  from 
releasing  their  findings.  “People  have  an 
overconfidence  in  the  use  of  the  polygraph, 
and  their  belief  in  its  accuracy  is  perhaps 
worse  than  the  risks  of  not  doing  [this  kind  of 
testing],”  says  Fienberg.  He  hopes  that  the 
report  will  shake  the  confidence  that  some 
government  departments  have  placed  in  the 
polygraph  and  that  it  will  lead  to  a  greater 
interest  in  researching  alternatives. 

-Daintry  Duffy 


DEPARTMENT  OF  SCARY  NUMBERS 


of  security 

executives  surveyed  report  that  information 
security  is  still  not  a  ooard-level  priority. 

SOURCE:  AN  INTERNET  SECURITY  ALLIANCE  SURVEY  OF  MORE  THAN  225  INFOSEC  PROFESSIONALS.  AUGUST  2002 


16  www.csoonline.com  January  2003 


ILLUSTRATION  BY  JASON  SCHNEIDER 


Smile,  You’re  on  Hidden  Camera 


VIDEO  MONITORING  Two  hours  is  a  considerable  distance  to  drive 
especially  to  scare  an  errant  possum.  But,  according  to  Kurt  Nelson, 

IT  director  at  Pacific  Pipeline  System  (PPS),  that’s  how  secu¬ 
rity  monitoring  used  to  operate.  With  more  than  V,;.  y, 

2,000  miles  of  crude  oil  pipeline  across  the  coun¬ 
try,  PPS  had  motion  detectors  installed  around 
several  of  their  facilities.  While  the  detectors  warned 
of  trespassers  at  pumping  stations,  they  didn't  give  any 
visual  clue  of  what  was  causing  the  detectors  to  go  off. 

Using  network  cameras  from  Axis  technology  installed 
at  remote  unmanned  facilities,  controllers  now  monitor 
alarms  with  online  real-time  video  surveillance.  They  can 
also  watch  crews  working  at  remote  facilities  to  ensure  their 
safety.  Axis  network  cameras  plug  into  existing  networks  and 
have  built  in  Web  servers,  which  allow  them  to  operate  without  a 
PC.  Video  servers  digitize  images  from  CCTV  cameras  and  upload 
the  images  to  a  Web  browser— where  undoubtedly  a  possum  or  two 
will  find  its  15  seconds  of  fame.  -Kathleen  Carr 


Seeing  Infrared 

WIRELESS  Wireless  data  connections  have  sparked  lingering  security  questions. 
While  most  discussions  focus  on  802.11b  or  other  radio  wireless  LAN  (WLAN)  tech¬ 
nologies,  researchers  say  optical  infrared  is  a  cheaper,  more  secure  option. 

A  new  antenna  was  designed  by  a  team  led  by  Roger  Green,  professor  of  electronic 
communication  systems  in  the  School  of  Engineering  at  the  University  of  Warwick, 
England.  The  optical  antenna  is  a  type  of  optical  concentrator  that  captures  infrared 
radiation  at  angles  up  to  90  degrees,  blocking  the  effects  of  ambient  lighting. 

Infrared  signals  can  bounce  off  walls  and  ceilings,  creating  the  same  effect  as  an 
802.11b  or  Wi-Fi  WLAN  access  point.  The  optical  concentrator  also  makes  wireless  net¬ 
works  more  secure.  Infrared  beams  are  easier  to  control  than 
radio  signals  and  prevent  data  from  leaking  to  external  spies. 

Furthermore,  infrared  offers  up  to  10GHz  of  bandwidth,  as 
opposed  to  the  2.4GHz  band  of  the  popular  802.11b  standard,  and 
does  not  interfere  with  any  radio  frequency  infrastructure,  he  says. 

According  to  Green,  infrared  is  a  viable  solution  for  companies 
interested  in  secure  communications  over  longer  distances.  It  pro¬ 
vides  secure  data  transmissions  between  buildings,  point-and-pay 
systems,  and  to  connect  optical  infrared  devices  like  laptops,  cell 
phones  and  PDAs. 

The  optical  antenna  devised  by  Green  and  his  team  is  being 
built  into  the  first  product  prototypes  by  several  companies.  And 
Green  suggests  that  the  final  products  may  even  be  easy  on  the  CSO’s  budget. 

Because  infrared  does  not  require  bandwidth  licensing  fees,  the  optical  antenna  prod¬ 
ucts  should  be  cheaper  than  radio  frequency  products.  -Joris  Evers 


The  Difference 
Between  Critical 
and  Important 

SOFTWARE  SECURITY 

After  customers  complained  that 
they  couldn’t  identify  the  most 
serious  security  vulnerabilities, 
Microsoft  has  added  a  fourth  cate¬ 
gory  to  its  vulnerability  rating  sys¬ 
tem.  But  critics  feel  that  the  extra 
tier  adds  even  more  complexity  to 
an  administrator’s  job. 

Under  the  new  system,  fewer 
bulletins  get  the  "critical"  stamp. 
Only  vulnerabilities  that  could  be 
exploited  to  allow  malicious  Inter¬ 
net  worms  to  spread  without  user 
action  are  now  rated  critical.  Many 
issues  that  were  previously  rated 
critical  are  now  “important,"  a  new 
category  in  the  rating  system. 
These  “important”  vulnerabilities 
could  still  expose  user  data  or 
threaten  system  resources,  but 
they  might  not  receive  the  urgent 
attention  from  administrators  that 
they  deserve. 

“If  Microsoft  wanted  to  simplify 
matters,  they  should’ve  done  just 
that— cut  the  categories  down 
from  three  to  two  levels.  Adminis¬ 
trators  want  to  know  whether  a 
patch  needs  to  be  applied  immedi¬ 
ately,  or  if  they  can  conveniently 
schedule  it,"  says  Thor  Larholm,  a 
Copenhagen,  Denmark-based 
security  researcher  with  PivX 
Solutions. 

A  two-tiered  system  would  let 
administrators  quickly  decide 
whether  they  need  to  drop  all 
tasks  at  hand  and  apply  a  patch,  or 
whether  the  risk  is  small  enough 
that  they  can  wait  and  include  it  in 
a  weekly  patch  cycle. 

-J.E. 


PHOTO  TOP  BY  JOE  MACDONALD/CORBIS 


January  2003  www.csoonline.com  17 


The  Who,  What  and  Why  of  Washington 

Top  Billing 

NEWS  FROM  INSIDE  THE  BELTWAY 


Footing  the  Bill 

Terrorism  insurance  is  expensive.  Will  the  insurance  industry  pass  the 
buck  to  the  taxpayers?  By  Julie  Hanson 


TERRORISM  INSURANCE  BILL, 
signed  by  President  Bush  in  late  November,  is 
being  lauded  as  vital  to  the  shaky  economy  and 
the  construction  industry,  in  which  many  proj¬ 
ects  have  stagnated  because  of  the  reported 
lack  of  affordable  terrorism  insurance.  But  this 
bill,  which  shifts  fiscal  responsibility  to  the  gov¬ 
ernment  and  ultimately  to  the 
taxpayers  once  damages  hit  a 
certain  dollar  sign,  is  making 
consumer  advocates  uneasy. 

Their  concern  is  that  since 
insurance  companies  will  not 
be  footing  the  entire  bill,  they 
have  less  incentive  to  require 
their  clients  to  build  secure 
infrastructures  and  buildings. 

The  Terrorism  Risk  Insur¬ 
ance  Act  (H.R.  3210),  which 
defines  terrorism  as  terrorism 
that  originates  from  foreign 
interests,  steps  in  to  help  insurance  companies 
on  any  claims  more  than  $10  billion,  offering  to 
pay  90  percent  of  damages  that  exceed  that 
mark  through  2003.  If  damages  are  less,  the 
bill  sets  a  graduated  payment  plan.  The  first 
year  after  one  of  these  smaller  claims,  insur¬ 
ance  companies  will  be  required  to  pay  7  percent 
of  the  premiums  they  received  the  previous  year. 
In  2004,  this  percentage  jumps  to  10  percent 
and  then  finally  to  15  percent  in  2005.  The  pres¬ 
ident  states  that  this  bill  is  crucial  to  more  than 
$15.5  billion  worth  of  construction  projects  that 
have  been  suspended  because  insurance  agen¬ 
cies  are  reluctant  to  offer  coverage  without  gov¬ 
ernment  backing.  This  pause  in  construction 
resulted  in  300,000  unemployed  Americans. 

But  the  Consumer  Federation  of  America 
(CFA)  says  that  good  insurance  is  already  avail¬ 
able,  real  estate  loans  are  obtainable,  and  let¬ 
ting  insurance  companies  off  the  hook  will 
lead  to  an  increase  in  building  security  prob¬ 


lems.  "The  deductibles  the  insurance  companies 
have  to  pay  are  far  less  than  they  can  afford,  so 
there  is  little  financial  incentive  to  take  better 
risk  assessment  measures,”  says  CFA  Legislative 
Director  Travis  Plunkett. 

The  CFA  admits  a  handful  of  terrorism  in¬ 
surance  seekers  have  had  problems  finding  cov¬ 
erage-large  skyscrapers 
and  properties  with  values 
of  more  than  $500  mil¬ 
lion— but  most  are  able  to 
purchase  insurance  at  a 
reasonable  rate.  Further¬ 
more,  the  CFA  says  lending 
has  not  slowed.  In  April,  the 
Federal  Reserve  reported 
that  lack  of  terrorist  cover¬ 
age  was  having  a  minimal 
lending  impact.  Just  10  per¬ 
cent  of  domestic  banks 
upped  their  rejection  rate 
for  financing  high-profile  commercial  real  estate. 

Those  in  favor  of  terrorism  insurance  call 
the  measure  a  necessary  move  to  correct  a  dys¬ 
functional  marketplace.  Terrorism  insurance 
is  expensive  and  offered  by  only  a  few  agencies 
that  generally  do  not  cover  costs  to  replace  an 
entire  building,  says  Martin  DePoy,  vice  presi¬ 
dent  for  government  relations  for  the  National 
Association  of  Real  Estate  Investment  Trusts. 

Even  the  proposed  7  percent  premium  the 
bill  requires  of  insurance  companies  could  cost 
some  agencies  billions  if  faced  with  another 
catastrophic  event.  "In  this  situation,  we  need 
the  government  to  step  in  on  a  temporary  basis 
and  insure  for  catastrophic  losses  until  the  pri¬ 
vate  market  can  return  to  some  type  of  nor¬ 
malcy,”  says  DePoy.  ■ 


For  Washington  updates,  visit  our  website  at 

www.csoonline.com/wonk. 


The  House  Government  Reform 
Subcommittee  on  Government  Effi¬ 
ciency,  Financial  Management  and 
Intergovernmental  Relations  has  given 
the  government  an  overall  grade  of  “F” 
for  its  computer  security  efforts  in  the 
subcommittee’s  third  annual  report 
card.  The  Department  of  Transportation 
rests  at  the  bottom,  scoring  28  points 
out  of  a  possible  100.  The  highest  scor¬ 
ing  department,  the  Social  Security 
Administration,  earned  a  score  of  82. 

The  Electronic  Privacy  Information  Cen¬ 
ter  (EPIC),  in  an  open  letter  to  Sens. 
Tom  Daschle  and  Trent  Lott,  is  asking 
to  stop  further  development  of  a 
Defense  Advanced  Research  Projects 
Agency  system  called  Total  Informa¬ 
tion  Awareness  (TIA),  which  will 
mine  vast  amounts  of  information  from 
the  general  public,  including  telephone, 
bank,  educational  and  medical  records. 
EPIC  calls  TIA  “an  unconstitutional  sys¬ 
tem  of  public  surveillance.” 

The  Homeland  Security  Act,  passed 
in  November  2002,  included  another 
Freedom  of  Information  Act  (FOIA) 
exemption.  An  exemption  allows  com¬ 
panies  to  report  security  breaches  to 
the  government  with  the  knowledge 
that  information  reported  cannot  be 
accessed  by  the  public  under  FOIA. 
Technologists  had  previously  argued 
that  companies  would  not  report  these 
security  breaches  to  the  government 
without  some  promise  of  protection. 

Nevada  Rep.  John  Ensign  was  named 
chairman  of  the  Senate  Republican 
High-Tech  Task  Force.  This  task 
force’s  mission  is  to  act  as  the  Republi¬ 
can  leadership’s  outreach  effort  to  the 
technology  community  and  to  advise 
the  Republican  Caucus  on  technology 
issues.  Ensign  is  also  a  member  of  the 
Commerce,  Science  and  Transportation 
Committee  and  the  Wireless  Task  Force 
for  the  Congressional  Internet  Caucus. 


18  www.csoonline.com  January  2003 


PHOTO  LEFT  BY  CADE  MARTIN;  TOP  BY  GETTYONE 


wireless 


s  e  c  u  r 


y 


S  CURING 

wireless  networks- 

Intel  IT’s  successful  journey 


“Pilot  tests  provide  priceless  feedback  from 
users  and  help  build  a  core  skill  in  E  that 
can  be  used  in  deployment,  while  providing 
the  data  needed  to  select  an  infrastructure, 
architecture  and  design," 

— John  Johnson,  director  and  general  manager  for  productivity, 
collaboration  and  security  programs  at  Intel. 


Mobile  computing  wasn't  enough. 

True,  the  rapid  spread  of  low-cost, 
high-performance  notebook  PCs  had 
reaped  great  savings  and  efficiencies 
for  Intel  Corporation’s  global  army  of 
knowledge  workers.  By  2001,  rough¬ 
ly  77  percent  of  Intel’s  knowledge 
workers  in  45  countries  around  the 
world  were  using  mobile  PCs,  and 
the  results  were  tangible. 

But  Intel  IT,  the  company’s  own 
technology  unit,  was  convinced  that 
these  mobile  workers  would  be  even 
more  productive  if  linked  via  wireless 
connection  to  the  vast  resources  of  the 
firm’s  enterprise  network.  Faster  deci¬ 
sion-making,  greater  sales-force  effi¬ 
ciency,  and  higher  employee  satisfac¬ 
tion — all  of  these  benefits  were 
possible  if  Intel  IT  could  deliver  wire¬ 
less  networks.  And  if  Intel  IT  could 
prove  this  case  internally  among  its 
knowledge  workers,  the  benefits  of 
wireless  networking  could  be  extended 
to  Intel’s  broader  global  workforce. 

Anytime,  anywhere  computing 
became  the  goal.  Deploying  wireless 
local-area  networks  (WLAN)  became 
the  means  to  achieve  it.  Yet  standing 
between  Intel  IT  and  its  goal  was  an 


Custom  Publishing 

Advertising  Supplement 


imposing  obstacle:  developing  and 
deploying  a  comprehensive  security 
strategy  amidst  broad  misperceptions 
that  wireless  communications  are 
inherently  insecure. 

Pilot  Tests:  Validating  the  Approach 
to  Security 

Intel  IT  tackled  the  security  issue 
head-on.  The  strategy:  conduct  a  far- 
reaching  series  of  WLAN  pilot  tests 
designed  not  just  to  help  identify 
opportunities  for  increased  worker 
productivity  and  savings,  but  also  to 
pinpoint  key  security  issues. 

Intel  IT  wanted  to  prove  that  it 
could  deploy  wireless  LANs  to  support 
anytime,  anywhere  computing,  while 
simultaneously  protecting  the  chip 
giant’s  intellectual  properties  and  sen¬ 
sitive  corporate  data. 

“Pilot  tests  provide  priceless 
feedback  from  users  and  help 
build  a  core  skill  in  IT  that  can  be 
used  in  deployment,  while  provid¬ 


ing  the  data  needed  to  select  an 
infrastructure,  architecture  and 
design,”  says  John  Johnson,  direc¬ 
tor  and  general  manager  of  pro¬ 
ductivity,  collaboration  and  secu¬ 
rity  programs  at  Intel. 

Beginning  in  early  2001,  Intel  IT 
launched  its  pilot  tests  in  earnest, 
addressing  the  technical  aspects  of 
security  that  stood  between  the  group 
and  its  goal  of  providing  global, 
mobile  users  with  secure,  radio  access 
point  links  to  Intel’s  llMbit/sec  of 
bandwidth  on  IEEE  802.1  lb-compli¬ 
ant  WLANs. 

The  Intel  IT  team  quickly  deter¬ 
mined  that  the  out-of-the-box 
Wireless  Equivalent  Protocol’s 
(WEP)  key  creation  scheme  could 
only  be  used  as  one  of  several  layers 
of  security  for  their  wireless  pilots. 
The  reason:  It  could  allow  an  intrud¬ 
er  with  an  antenna  and  a  portable  PC 
to  tap  into  data  transmissions  from  a 
parking  lot  or  a  nearby  room. 


wireless 


security 


Cl O  Advertising  Supplement 


“We  realized  that  WEP  was  fairly 
soft,  and  we  weren’t  comfortable  using 
it  alone,”  Johnson  says.  “Senior  man¬ 
agement  expected  a  very  secure  wire¬ 
less  environment  capable  of  meeting 
the  anticipated  needs  of  our  employ¬ 
ees.  We  were  prepared  not  to 
move  forward  and  put  the 
effort  on  hold  if  we  couldn’t 
find  a  security  plan  that  met 
our  requirements.” 

Enter  virtual  private  net¬ 
work  (VPN)  technology.  Intel 
had  already  harnessed  VPN  to 


By  the  end  of  the  testing,  Intel  IT 
had  met  two  huge  goals:  substantiat¬ 
ing  the  ROI  for  the  technology  and 
validating  its  security  blueprint. 

Beyond  answering  inherent  questions 
about  security,  Johnson  says, 
the  pilot  tests  helped  Intel  IT 
workers  gain  new  confidence  in 
wireless  technologies.  “IT 
groups  should  not  be  scared 
about  getting  into  wireless,’’  he 
says,  “because  we  found  that 
many  wireline  networking  skills 
can  be  applied  to  wireless.” 


At  last  check,  Intel  had  more  than 
80  WLAN  projects  in  various  stages 
of  implementation  in  the  United 
States,  Europe,  and  Asia.  The  compa¬ 
ny  has  been  deploying  WLANs  pri¬ 
marily  in  warehouses,  factories,  cor¬ 
porate  offices,  sales  offices  and 
common  areas. 

And  already  Intel  has  reaped  the 
rewards  of  global  WLAN  use.  The 
numbers  speak  for  themselves:  an 
estimated  productivity  boost  of  1.5 
hours  per  day  for  each  of  the  several 
thousand  workers  accessing  roughly 


"If  I  were  asked  by  another  IT  manager  whether  to  proceed  with  wireless  LANs. 

my  answer  would  be  an  emphatic  Yes!" 

— John  Johnson,  director  and  general  manager  for  productivity,  collaboration  and  security  programs  at  Intel. 


protect  its  wired  remote  access  sys¬ 
tems.  Now  Intel  IT  decided  to  make 
VPN  serve  double-duty  to  protect  its 
wireless  networks  as  well.  Intel  IT 
augmented  WEP  by  equipping  note¬ 
book  computers  with  VPN  client  soft¬ 
ware,  backed  up  by  VPN  gateways 
behind  radio  access  points.  VPN  tech¬ 
nology  supports  three  additional  meth¬ 
ods  for  protecting  data  and  communi¬ 
cations,  enabling  Intel  to  encrypt  all 
airborne  data.  “We’ve  found  VPN  to 
be  very  secure  and  cost  effective,” 
Johnson  says.  “What  we  like  about  it 
is  that  we  can  use  the  same  technology 
internally  to  secure  our  wireless  envi¬ 
ronment  and  externally  to  enable 
secure  remote  connections  via  the  pub¬ 
lic  Internet.” 

Intel  IT  also  decided  to  employ 
wireless  LAN  sniffer  devices  that  can 
constantly  scan  the  networks  for 
unsecured  wireless  LAN  traffic.  With 
a  vigilant  eye  to  the  future  of  securi¬ 
ty,  Intel  IT  is  looking  forward  to 
upgrading  to  new  802.1  li  wireless 
standards  (pending  approval  by  the 
IEEE)  to  achieve  even  more  advanced 
encryption  and  higher  levels  of  user 
authentication. 


Broadscale  Deployment: 

Intel  Goes  Live  With  WLAN 

Buoyed  by  the  results  and  lessons- 
learned  from  its  WLAN  pilots,  Intel  IT 
marched  forward  with  its  plans  to  broad¬ 
ly  deploy  secure  wireless  networks. 


READY  TO  TAKE  THE  NEXT  STEP? 

Whether  your  next  step  is 
undertaking  your  own  wireless 
LAN  pilot  or  doing  more 
research  on  wireless  topics, 
you’ll  find  these  valuable  how¬ 
to  guides,  case  studies  and 
white  papers  at: 
www.intel.com/go/wireless 

•  Five  Steps  to  Deploying  a 
Wireless  LAN 

•  Wireless  802.1 1  Security  in  a 
Corporate  Environment 

•  Intel  IT:  Building  the 
Foundation  for  Anytime, 
Anywhere  Computing 

source:  Intel  Corporation 


80  wireless  LANs  in  18  countries.  In 
response  to  the  early  success,  Intel  IT 
is  now  in  the  midst  of  a  long-term 
deployment  strategy  designed  to 
transition  workers  to  access  802.11a 
WLANs  that  support  a  maximum 
data  speed  of  54Mbit/sec — with  even 
greater  security. 

Asked  to  reflect  on  Intel’s  internal 
WLAN  experience,  Johnson  is  enthu¬ 
siastic  about  Intel  IT’s  successful 
deployment — that  the  group  met  its 
goal  of  securing  anytime,  anywhere 
computing  for  Intel’s  global  work¬ 
force — and  he’s  encouraged  by  the 
early,  substantial  returns  from  added 
mobility.  “If  I  were  asked  by  another 
IT  manager  whether  to  proceed  with 
wireless  LANs,  my  answer  would  be 
an  emphatic  Yes!"  Johnson  says.  “The 
productivity  gains  we  are  seeing 
demonstrate  that  deploying  wireless 
LANs  to  supplement  our  wired  com¬ 
puting  environment  brings  us  a  great 
deal  of  added  value.”* 

Intel. 


S  2 


i  n  t  e  I 


CSO  Perspectives 


Today’s  security  executives  meet  at  the 

CSO  Perspectives 
Conference 


As  an  executive  responsible  for  securing  and 
protecting  an  organization’s  information 
assets  and  infrastructure,  you  are  constantly 
searching  for  how  to  better  define  your  mission 
and  responsibilities  within  the  enterprise. 

You  need  a  forum  in  which  you  can  address 
your  own  unique  set  of  business-level 
challenges— and  network  with  your  peers. 


The  Resource  for 
Security  Executives 


June  17-19,  2003 
Hotel  del  Coronado 
Coronado,  California 


CSO  Perspectives  meets  those  needs 

with  an  educational  and  networking 
conference  just  for  you— chief  security 
officers  (CSOs)  and  senior  technology 
decision-makers  (CIOs).  At  CSO 
Perspectives,  you’ll  gain  firsthand 
knowledge  from  industry  experts  and 
your  peers  that  can  enhance  your  organi¬ 
zation’s  security  strategy. 

You’ll  have  the  opportunity  to: 

•  Exchange  best  practices  in  balancing 
risk  and  responsibility 

•  Learn  from  your  peers  what  works  in 
the  real  world 

•  Explore  creating  a  culture  of  security 

•  Understand  the  current  thinking  on 
key  issues  and  trends 

•  Uncover  the  hidden  threats  of  legal 
liability 

•  Examine  emerging  technologies  that 
will  impact  your  enterprise 

Visit  us  at  www.csoperspectives.com 

or  call  800  366-0246. 


Help  Wanted 

MetLife  CSO  Robert  Cordier  answers  readers'  questions 
about  security  recruiting 


Q:  How  do  you  determine  “appropriate”  levels  of  security— levels  that  have  a 
direct  impact  on  the  amount  of  budget  you’re  given?  Information  security,  as  a 
profession,  seems  to  be  grappling  with  this  question  more  than  ever. 

A:  Since  9/11,  in  my  opinion,  most  corporations  have  appropriately  augmented 
security-related  budgets  with  generous  enhancements  to  upgrade  security  meas¬ 
ures.  Determining  the  appropriate  level  of  security  is  most  effectively  done  by 
taking  a  holistic  view  of  the  enterprise.  First,  there  should  be  a  security  template 
to  identify  policies,  procedures  and 
installations  of  equipment  and  technol¬ 
ogy'  for  consistent  application  throughout 
all  facilities.  While  not  all  budgets  will 
provide  for  the  immediate  enhancement 
of  all  facilities  to  this  threshold  level  of 
security,  an  analysis  and  prioritization  of 
security  upgrades  across  an  enterprise 
will  allow  for  a  phased  implementation  of 
these  security  enhancements. 

To  identify  components  that  require 
security  upgrades,  a  comprehensive 
security  questionnaire  can  provide  a 
ranking  of  the  most  crucial  and  sensitive 
operations.  From  this  ranking,  immedi¬ 
ate  and  more  concerted  security 
enhancements  can  be  targeted  with  min¬ 
imal  impact  on  the  security  budget. 

Onsite  security  reviews  and  inspec¬ 
tions  of  facilities  or  lines  of  business  is 
mandatory  by  the  security  component.  Where  possible,  this  function  could  be 
contracted  to  reputable  security  consultants  for  independent  review. 

To  complement  these  processes,  the  implementation  of  an  effective  crisis 
management  initiative,  involving  representatives  from  all  business  functions 
and  operations,  is  effective  in  establishing  policies  that  enhance  the  security 
program  throughout  the  corporation.  The  crisis  management  process  can  jus¬ 
tify  budget  enhancements  to  those  who  might  otherwise  be  ignorant  as  to  the 
need  or  value  of  certain  security  expenditures. 


A:  The  CSO  is  an  executive-level  position  with  respon¬ 
sibility  for  the  maximum  coordination  and  integration 
of  security  protocols,  procedures  and  policies  within  a 
corporate  structure.  All  security  departments  have  a 
mission  with  three  goals:  1.  provide  for  the  safety  and 
security  of  all  employees,  2.  protect  and  maintain  all 
corporate  facilities  and  the  physical  assets  and  prop¬ 
erty,  and  3.  ensure  the  security  and  continued  preserva¬ 
tion  of  all  corporate  information,  research,  and 
proprietary  data  and  the  technology  that  supports  it. 

To  implement  a  corporatewide  security  program  and 
advance  this  security  mission,  it  is  imperative  that  a 
CSO  be  a  leader  and  manager  who  understands  the 
critical  importance  of  blending  tradition  and  technol¬ 
ogy  into  today’s  security  arena.  Although  it  might  be 
desirable  to  have  a  CSO  who  is  steeped  in  both  physical 
security  and  information  security,  I  believe  it  is  more 
important  for  the  CSO  to  be  an  individual  with  depth 
and  experience  in  management  who  is  also  comple¬ 
mented  with  a  comfortable  level  and 
awareness  of  both  the  physical  security 
and  information  security  platforms. 

Thus,  if  recruiters  are  looking  for 
the  appropriate  criteria  for  the  CSO 
position,  it  would  be  prudent  to  estab¬ 
lish  a  threshold  for  depth  and  accom¬ 
plishment  within  the  leadership  and 
management  categories.  The  selection 
matrix  would  thereafter  include  a  pref¬ 
erence  category  where  appropriate 
weight  should  be  afforded  to  candi¬ 
dates  with  discernible  skill  and  experi¬ 
ence  within  the  physical  and 
information  security  disciplines.  The 
weight  or  percentage  afforded  to  either 
discipline  should  be  tilted  toward 
those  candidates  whose  knowledge, 
experience  and  skill  level  are  most 
consistently  aligned  with  the  primary' 
security  responsibilities  of  the  client  corporation. 

Recruiters  should  understand  that  competent  secu¬ 
rity  executives  will  lead  and  manage  their  security  pro¬ 
grams  in  a  manner  that  is  inclusive  of  the  talents  and 
expertise  necessary  to  accomplish  their  mission  and  not 
be  fractured  by  a  single-minded  perspective.  ■ 

Robert  Cordier  is  the  CSO  of  MetLife. 


Q:  I  am  a  recruiter  working  with  executives  looking  for  senior  opportunities  in 
physical  security.  Most  of  our  clients  are  searching  for  security  executives  who  are 
skilled  in  information  security.  What  is  your  opinion  of  the  CSO  role?  Is  the  ideal 
candidate  a  physical  security  guru,  an  information  security  executive  or  a  combi¬ 
nation  of  both? 


Have  a  security  topic  to  suggest  or  an  expert  you’d  like 
to  hear  from?  Send  comments  to  Assistant  Managing  Edi¬ 
tor  Kathleen  Carr  at  kcarr@cxo.com.  Go  online  to  see  what 
your  peers  are  discussing  at  www.csoonline.com/counsel. 


22  www.csoonline.com  January  2003 


PHOTO  BY  EDWARD  SANTALONE 


Imagine  an  intrusion  protection  system  that  actually  anticipates  a  hacker's 
behavior.  Checkmate  is  the  newest  breed  of  intrusion  protection,  and  the 
first  to  truly  combine  behavioral  and  computer  sciences.  Created  by 
nationally  recognized  experts  in  psychological  assessment  and  network 
security.  Checkmate  assesses  a  hacker's  intent  and  prevents  damage 
—  before  it  occurs.  For  more  information, 

visit  www.psynapsetech.com 


Checkmate 


NEW 


Home  Is  Where 
the  Hard  Drive  Is 

Designing  an  infrastructure  to  be  compatible  with  many 
legal  environments  can  ward  off  privacy  headaches 

By  David  H.  Holtzman 


HE  DIFFERENCES  BETWEEN  e-commerce  and  traditional  commerce  are 
glaring  when  you  squint  at  them  through  a  regulatory  spyglass.  While  industrial  age 
governmental  policy  freezes  like  a  10-point  buck  in  headlights,  the  legal  prey  of 
tomorrow  is  only  a  distant  blur.  Designing  an  enterprise  requires  long-term  vision, 
but  strategic  planning  is  next  to  impossible  when  the  networks  you  build  today  will 
outlast  the  laws  that  govern  their  behavior. 

Let’s  say  you’ve  just  been  hired  in  a  senior 
information  security  position  at  a  U.S. -based 
company  that  sells  collectible  widgets  online. 

You  have  been  asked  to  sit  down  with  the  gen¬ 
eral  counsel  (GC)  and  CFO  to  map  out  a  long- 
range  enterprise  architecture  that  will  support 
the  company’s  growth.  The  CFO  insists  that 
the  company  converge  on  a  centralized  infra¬ 
structure  to  reduce  costs  in  the  business  units. 

The  GC  innocently  asks  about  conforming  to 
legal  and  privacy  rules.  “Which  ones?”  you  ask. 

In  traditional  commerce,  governance  rules 
are  negotiated  and  captured  in  treaties.  The 
exceptions  to  that  are  products  with  cultural 
significance  that  override  the  economics— the 
sex  and  drugs  type  commodities. 

In  e-commerce,  all  transactions  fall  into  this 
category  because  the  marketplace  incorporates 
hot  issues  like  privacy,  intellectual  property  and 
taxation,  regardless  of  the  product. 

Not  only  are  the  rules  subject  to  change,  it’s 
also  unclear  whose  rules  are  applicable.  The 
jurisdiction  of  a  single  e-commerce  transaction 
could  equally  be  where: 

■  The  company  is  incorporated 

■  Servers  are  located 

■  The  company  does  business 

■  The  customer  lives 

■  The  fiber-optic  cable  runs 

m  A  remote  employee  accesses  the  customer  database 

The  first  wave  of  e-commerce  was  defined  by  the  workarounds.  Institutions  and 


authorities  kept  policy  afloat  like  a  beach  ball  at  a  rock 
concert— until  the  bubble  popped.  That  resulted  in  stop¬ 
gap  policies  such  as  the  Internet  sales  tax  moratorium  and 
the  Safe  Harbor  privacy  provisions  for  doing  business  in 
the  European  Union. 

The  second  wave  of  e-commerce  will  be  defined  by  the 
exceptions.  These  irregularities  will  be  created  by  the 
mismatches  of  overlapping  sovereignty.  For  some  busi¬ 
nesses,  this  will  be  disastrous;  for  others  an  opportunity. 

Economic  need  will  twist  the  legal  areas  of  commerce 
further  out  of  alignment  with  the  physical  location  of  the 
systems  and  servers.  That  incongruence  causes  the  prob¬ 
lem.  How  do  you  design  an  enterprise  architecture  for 
legal  compliance  when  you  don’t  know  whose  laws  may 
be  relevant  and  which  laws  likeliest  to  cause  trouble  are 
in  flux?  Here  are  some  suggestions: 

■  Pay  careful  attention  to  where  the  data  comes  out, 
not  in;  most  countries  will  probably  attach  conditions 
and  penalties  to  data  use,  not  aggregation.  Tag  accounts 
with  their  geographic  location  so  that  they  can  be  policy 
controlled.  For  instance,  if  you  have  an  auction  site,  don’t 
let  French  or  German  customers  see,  let 
alone  buy,  Nazi  memorabilia. 

■  Transfer  your  servers  to  the  most 
subpoena-favorable  legal  climate  available 
internationally,  most  likely  in  the  Carib¬ 
bean.  This  is  similar  to  companies  incor¬ 
porating  in  Delaware  for  tax  reasons. 
Indian  reservations  may  become  prime 
locations  for  server  farms. 

■  Don’t  ask,  don’t  tell.  If  your  cus¬ 
tomers  are  not  buying  goods  that  require 
shipping,  don’t  ask  for  more  information 
than  you  need.  The  more  you  ask  for,  the 
likelier  that  you’ll  violate  an  ordinance.  If 
you  have  too  much  information,  you  lose 
plausible  deniability  as  a  defense. 

The  price  barriers  to  international  com¬ 
merce  will  continue  to  drop  because  of  the 
Internet,  and  all  markets  will  soon  be 
global.  Visionary  leaders  who  optimize 
their  infrastructure  for  legal  flexibility  will 
be  able  to  tack  against  the  winds  of  change 
and  move  on  to  new  markets.  Those  who 
elect  to  play  it  safe  will  find  themselves 
stalled  in  the  Sargasso  Sea  of  corporate 
compliance.  We  may  not  be  able  to  direct 
the  wind,  but  we  can  always  adjust  the  sails.  ■ 

David  H.  Holtzman,  former  CTO  of  Network  Solutions,  also  worked  as  a 
cryptographic  analyst  with  the  U.S.  Navy  and  an  intelligence  analyst  at 
DEFSMAC.  He  can  be  reached  at  david@globalpov.com.  Send  feedback  and 
column  ideas  to  Senior  Editor  Daintry  Duffy  at  dduffy@cxo.com. 


24  www.csoonline.com  January  2003 


ILLUSTRATION  BY  DAN  PICASSO 


NO  POSTAGE 
NECESSARY 
IF  MAILED 
IN  THE 

UNITED  STATES 


BUSINESS  REPLY  MAIL 

FIRST-CLASS  MAIL  PERMIT  NO.  152  FRAMINGHAM  MA 


POSTAGE  WILL  BE  PAID  BY  ADDRESSEE 

cso 

ATTN:  CIRCULATION  DEPARTMENT 
PO  BOX  9014 

FRAMINGHAM  MA  01701-9836 


TTs  a  k*e' 

S£sLtt«  theyHpayooX^on^^ 


www.csoonline.com 

This  is  a  domestic  rate  only  (US  and  Canada). 

The  foreign  rate  is  $105.00  prepaid  in  U.S.  currency. 


SUBSCRIBE  TODAY! 

Yes,  please  enter  my  one-year  subscription 
(12  issues)  to  CSO  magazine,  and  bill  me 
later  for  $64.95! 


Name 


Title 


Company  Name 


Address 


City 


State  ziP 


□  Bill  me  □  Bill  my  credit  card  □  MC  □  VISA  O  AMEX 


Account  Number  Expiration  date 


Signature 


CIN02 


©2002  Cisco  Systems,  Inc.  All  rights  reserved.  Cisco,  Cisco  Systems,  the  Cisco  Systems  logo.  Empowering  the  Internet  Generation, 
Cisco  Powered  Network  and  Cisco  IOS  are  registered  trademarks  or  trademarks  of  Cisco  Systems,  Inc. 


V  VPN/Security  ROI 

Case  Studies 

Learn  About  Security 

Newsletter  Sign-up 

Join  Discussion 

Cisco  Powered  Network 

V  Sure,  you  want  ^ 

end-to-end  network  secu 

But  where  does  your  network  actually  end 


SOLUTIONS  FOR  YOUR  NETWORK 


IP  TELEPHONY 


cisco.com/go/vpnsecurity 


VPN/SECURITY 


CONTENT  NETWORKING 


OPTICAL  NETWORKING 


STORAGE  NETWORKING 


WIRELESS  AND  MOBILE  OFFICE  + 


Threats  to  network  security  can  come  from  anywhere  at  anytime,  and  firewalls  alone 
will  not  stop  them.  Ensure  that  your  data  and  business  applications  stay  secure  by 
embedding  safeguards  throughout  your  entire  network.  With  a  defense-in-depth 
solution  from  Cisco,  you  can  provide  the  scalable,  manageable,  and  comprehensive 
protection  your  network  needs.  Cisco  integrates  advanced  security  and  VPN 
functionality  into  Cisco  IOS‘  software  for  routers,  Catalyst-series  switches,  and  a  wide  range  of  market-leading  appliances.  So 
security  isn't  just  added  on;  it's  part  of  the  network  infrastructure  itself.  Contact  Cisco,  your  channel  partner,  or  your  Cisco  Powered 
Network  Service  Provider  to  learn  how  Cisco  can  provide  a  comprehensive,  cost-effective  security  solution  for  your  business. 


Cisco  Systems 


Empowering  the 
Internet  Generation 


Its  a  small 


i 


W 

v 


iffi 

M 

M 

iwL 

/  f| 

# 


f 


after  all 


BY  SIMONE  KAPLAN 


Bob  Littlejohn  is  in  the  middle  of  a  day  that  most 
people  would  consider  tumultuous.  Hair-raising, 
even.  First,  there’s  that  evacuation  drill  he’s  plan¬ 
ning  for  the  New  York  City  headquarters  of  his  com¬ 
pany,  Avon  Products.  He’s  taking  rapid-fire  calls 
from  Guatemala,  Brazil  and  the  Philippines,  just  a 
few  of  the  140  countries  in  which  Avon  operates. 
He  worries  about  them  all.  And  he’s 
headed  to  Greece  tonight  to  handle  a 
situation  in  person.  For  Littlejohn, 
this  is  just  business  as  usual. 


IN  THIS  STORY: 

Key  attributes, 
qualifications  and 
leadership  strategies 
for  the  CSO 


26  www.csoonline.com  January  2003 


PHOTOGRAPHY  BY  ANDREW  KIST 


Evacuations,  crises 
overseas  and  bomb 
threats— it’s  all  in  a 
day’s  work  for  Bob 
Littlejohn,  Avon’s  VP 
of  global  security.  , 

i 

•  ■.  ■ 


H 


Bill 


.•>w5i 

C/  yr  'O 

*w£rf 

!t,  v:iv *■ 

r-vr  .  -n^i 

*&■* 

%: 

ML  ,«« 

V  > 

£  Vr' 

*■:  ■  •  ■» 

The  CSO  Role 


e  fine-tunes  the  details  of  the  evacuation 
drill  as  the  phone  rings.  It’s  Avon’s  El  Sal¬ 
vador  office.  Littlejohns  security  director 
there  is  worried  because  the  U.S.  Embassy, 
which  is  next  door  to  Avon’s  regional 


facility,  just  received  a  bomb  threat  and  is  in  the  process  of  a 
lock  down.  Littlejohn’s  immediate  concern  is  with  the  more 
than  200  Avon  employees  working  near  the  embassy.  When 
he  realizes  the  bomb  threat  is  specific  and  credible,  he  calmly 
orders  the  employees  to  evacuate  until  the  situation  is  resolved. 


As  vice  president  of  global  security  for  Avon, 
Littlejohn  conducts  nearly  half  of  his  profes¬ 
sional  life  from  his  New  York  office  and  the 
other  half  traveling  around  the  globe.  He  has 
security  directors  in  every  major  region  of  the 
world  who  report  to  him  on  a  daily  basis.  Inter¬ 
national  employees  use  a  24-hour  hotline  for 
emergencies.  “The  phone  rings  from  9  p.m.  to 
midnight  with  calls  from  Asia.  Then  Europe 
starts  calling  around  6  a.m.,”  Littlejohn  says. 
“Most  of  the  callers  are  just  looking  for  advice, 
but  sometimes  I’ll  need  to  get  on  a  plane.”  He’s 
concerned  that  a  lot  of  U.S.  companies  look  at 
security  from  only  a  national  rather  than  inter¬ 
national  standpoint.  “Security  is  an  integral 
piece  of  the  business  process— it  doesn’t  func¬ 
tion  alone,”  he  insists.  “Companies  must  look 
at  security  as  a  whole;  you  can’t  divide  national 
and  international  entities.” 

This  is  Bob  Littlejohn.  Championing  a 
multinational  effort  to  keep  Avon  employees 
safe  while  exuding  a  confidence  and  a  calm 
that’s  based  in  the  knowledge  that  he’s  planned 
for  just  about  every  contingency  possible.  For 
him,  that  is  the  essence  of  leadership.  And  Bob 
Littlejohn  is  all  about  leadership. 

Many  consider  littlejohn  to  be  a 
leader  in  the  security  world— as  sea¬ 
soned  a  security  pro  as  you  can  find. 
A  former  vice  president  of  investigations  and 
consulting  at  security  sendees  giant  Pinkerton 
Service,  he’s  a  retired  Army  colonel  from  West 


Point  who  became  a  cop  with  the  NYPD.  Dur¬ 
ing  his  21  years  with  the  force,  he  held  execu¬ 
tive  positions  in  narcotics  and  intelligence  and 
headed  the  operations  division.  In  the  early 
’80s,  Littlejohn  was  appointed  director  of  the 
New  York  City  mayor’s  emergency  manage¬ 
ment  office.  He  developed  a  disaster-mitiga¬ 
tion  program  for  the  city  in  the  event  of 
terrorist  attacks  or  a  chemical  leak,  not  know¬ 
ing  how  relevant  his  actions  would  be  some 
day.  He  served  on  the  board  of  the  American 
Society  for  Industrial  Security  and  is  currently 
chairman  of  the  Overseas  Advisory  Council,  a 
body  overseen  by  the  Department  of  State 
that  fosters  the  sharing  of  security  information 
between  the  public  and  private  sectors. 

He  wants  to  be  the  role  model  for  a  future 
generation  of  CSOs  and  seems  to  be  well  on 
his  way.  In  fact,  if  you  ask  Littlejohn  about  his 
vision  for  the  future  of  security  management, 
he’ll  tell  you  how  he  would  like  to  see  compa¬ 
nies— especially  international  ones— hire  a 
CSO  who  has  the  business  acumen  of  a  CEO, 
the  respect  of  senior  management  and  the 
voice  to  create  company  strategy. 

You’d  expect  someone  who  wields  such 
power  to  be  a  formidable  presence,  and  he  is. 
Tall  and  slim,  he  emanates  confidence  and 
authority  without  being  overbearing.  And  his 
enthusiasm  is  contagious.  Given  the  chance, 
he’ll  talk  articulately  about  security  for  as  long 
as  he  can,  or  at  least  until  the  phone  rings  again. 

Littlejohn  is  also  modest,  and  he  makes  sure 


January  2003  www.csoonline.com  29 


Call  Toll  Free  -  877  -  GROUP  -  55 

www.group-software.com 

.  lit  ?  M  If  At 

■  ■  ;•  ■ 

/  '.  'ft  :  '  ,  '  •  .  ■  f,  ' 

■  ■  ,  V  ,/« 

•  ■■■'.••  ' .  •• 

...  •„  -  >.  ■  .•  -  •  *V/.. 

■  GROUP 

KM  TECHNOLOGIES 


Protect  Your  Messaging  Platform  Today. 
Be  Prepared  for  Tomorrow. 


securiQ  -  Maximum  E-mail  Security. 


■  content  filtering 


■  image  scanning 


■  spam  blocking 


■  enhanced  virus  protection 

■  encryption 


■  legal  liability 


..  .  .  ;  ..  •  •  ...  f •  '***-&} kvh- 

Beyond  Anti-virus  Protection  -  securiQ 

'  ’■  .  S...  •.  v  Vi  ,  !•  . 

’  •'  v  v  "  -v  •  ?,«*■’  ■ 

1  .  :•  V 


For  all  your  e-mail  security  challenges 


■  archiving 


The  CSO  Role 


“To  be  an  effective  security  leader,  you 

the  talk  with  the  CEO,  the  CFO  and 


the  people  who  work  for  him  know  he’s 
human.  Even  if  he’s  on  the  phone,  his  employ¬ 
ees  know  they  can  knock  on  his  door  for 
advice.  Unlike  what  you  might  expect  from  a 
law  enforcement  veteran,  he  has  a  ready  smile, 
and  his  manner  is  open  and  friendly.  And  it’s 
no  secret  that  he  loves  grande  lattes  from  Star- 
bucks. 

Littlejohn’s  knowledge  of  Avon’s  business 
strategy  is  immense  but  so  is  his  sense  of  per¬ 
spective.  For  weeks  after  the  World  Trade  Cen¬ 
ter  towers  fell,  lines  of  people  waiting  to  get 
through  newly  installed  access  controls  snaked 
out  the  front  door  of  Avon’s  office  building 
and  blocked  the  street.  Jersey  barriers  and 
cement  flower  planters  the  size  of  elephants 
materialized  in  front  of  the  Citicorp  building 
two  blocks  away.  Rather  than  spend  money 
on  security  measures  he  wasn’t  sure  were 
appropriate  for  Avon,  Littlejohn  held  back. 

“You  have  to  ask  yourself  what’s  really  nec¬ 
essary,”  he  says.  “You  don’t  want  to  just  throw 
money  at  the  problem.  Access  controls  are 
good,  but  do  you  need  metal  detectors?  A  lot 
of  what’s  been  done  is  overkill,  and  the  money 
could  have  been  better  spent  elsewhere.” 

In  fact,  Littlejohn  is  most  concerned  about 
the  safety  of  Avon  employees  in  places  like 
Indonesia,  Malaysia  and  the  Philippines, 
where  there’s  a  threat  of  terrorism,  and  Mex¬ 
ico,  Brazil  and  South  Africa,  where  kidnap¬ 
ping  and  carjacking  are  everyday  realities  of 
which  he  trains  executives  to  be  aware;  earlier 
this  year,  an  Avon  employee  was  shot  during 
a  caijacking  in  South  Africa,  and  a  manager  in 
the  Philippines  was  kidnapped.  Both  survived. 
To  prevent  such  incidents,  Littlejohn  visits 
such  high-risk  markets  on  an  annual  basis  to 
check  in  on  sociopolitical  and  economic  situ¬ 
ations,  and  gather  the  latest  safety  best  prac¬ 
tices  from  other  security  executives  whose 
companies  operate  there.  On  his  last  trip  to 
South  Africa,  he  learned  that  many  companies 
are  installing  Plexiglas  windows  and  emer¬ 
gency  escape  devices  in  business  executives’ 
cars  in  an  effort  to  thwart  carjackers,  who 


tend  to  lie  in  wait  at  traffic  lights  before  break¬ 
ing  both  the  driver’s  side  and  passenger  win¬ 
dows  and  stashing  the  victim  in  the  trunk. 

He  hesitates  to  call  New  York  a  high-risk 
market,  but  having  watched  the  devastation  of 
Sept.  11  from  his  midtown  Manhattan  office 
window,  Littlejohn  is  quick  to  tell  you  he 
wasn’t  surprised.  He’d  been  helping  others 
prepare  for  such  a  disaster  for  years.  But  he 
also  wasn’t  expecting  the  massive  breakdown 
in  communications  that  followed. 

“The  most  unnerving  thing  was  the  fact 
that  no  one  could  find  out  exactly  what  was 
going  on,”  he  recalls.  Despite  his  network  of 
contacts  high  up  in  the  FBI  and  NYPD,  no 
one  had  a  clear  bead  on  what  was  going  on  or 
who  was  to  blame.  “It  was  the  only  time  in  my 
career  that  I  felt  out  of  the  loop.” 

What  he  didn’t  do  was  panic.  Despite  unre¬ 
liable  Internet  access  and  phone  service,  Lit¬ 
tlejohn  managed  to  locate  all  Avon  employees 
in  the  city  and  made  sure  they  were  OK.  He 
talked  continually  with  Avon  senior  manage¬ 
ment  and  his  colleagues  in  the  International 
Security  Management  Association  (ISMA),  an 
elite  group  of  about  400  security  executives  at 
Fortune  500  companies,  many  of  which  are 
headquartered  in  New  York. 

“I  wanted  to  know  how  other  companies 
were  handling  the  events,”  he  says.  “Were  they 
staying  open?  Were  they  sending  people 
home?  Was  it  safe  to  close  the  office  when  bus 
and  subway  service  had  been  suspended?  Was 
it  safer  to  stay  at  work?” 

Littlejohn’s  next  concern  was  for  his  friends 
at  the  NYPD.  On  Sept.  12,  he  finessed  his  way 
through  the  barricades  in  Lower  Manhattan 
and  went  to  the  police  command  posts  around 
Ground  Zero  to  check  on  his  former  colleagues. 
Despite  the  devastation,  he  stayed  calm— eerily 
so,  according  to  colleagues  in  ISMA  who 
observed  his  stoic,  measured  decision  mak¬ 
ing— and  he  remains  calm  still.  He  has  to  be 
that  way,  he’ll  tell  you.  It’s  his  job.  It’s  not  that 
he  doesn't  feel  the  horror,  but  Littlejohn  is 
acutely  aware  of  a  leader’s  responsibility  in  cri¬ 


sis  situations,  and  he  understands  that  people 
look  to  him  to  keep  a  cool  head. 

Littlejohn  identified  the  breakdown  in  com¬ 
munications  and  the  lack  of  information  dur¬ 
ing  the  terrorist  attacks,  and  he  spearheaded 
an  effort— in  part  by  calling  on  his  extensive 
contacts  in  the  FBI,  NYPD  and  State  Depart¬ 
ment— to  create  MetroLink,  a  network  con¬ 
necting  his  ISMA  colleagues  with  their  local 
FBI  and  police  departments.  Every  time  the 
FBI  announced  a  new  threat  of  attack,  ISMA 
members  knew  where  to  get  the  real  skinny. 

“We  had  this  network  where  we  could  go 
and  find  out  what  was  really  going  on,”  recalls 
Charlie  Steadman,  the  partner  in  charge  of 
companywide  security  at  KPMG  and  a  past 
president  of  ISMA.  “Everyone  else  was  run¬ 
ning  around  chasing  rabbits.” 

Rabbit-chasing  epitomizes  everything  that 
Littlejohn  strives  to  avoid  in  his  job  and  his 
professional  dealings.  Though  he  had  crisis 
management  and  business  continuity  plans 
in  place  years  before  the  attacks,  he  knows 
such  plans  cannot  remain  static.  The  annual 
evacuation  drill  for  Avon’s  New  York  office  is 
one  way  he  and  the  Avon  staff  stay  prepared. 

“It’s  imperative  that  everyone  understand 
exactly  what  they’ll  do  in  a  crisis  situation,”  he 
says.  “I  want  people  to  know  what  it’s  like 
climbing  down  26  flights  of  stairs.  How  do 
you  plan  for  and  anticipate  the  needs  of 
employees  who  require  special  assistance? 
How  do  you  account  for  workers  once  you’re 
out  of  the  building  and  at  the  assembly  area? 
Do  you  know  who  was  at  work  that  day  and 
who  didn’t  come  into  the  office?” 

As  part  of  his  updated  disaster  plan,  Lit¬ 
tlejohn  is  working  with  Avon  senior  manage¬ 
ment  to  create  a  remote  system  for  tallying 
employees.  “It’s  not  going  to  do  you  any  good 
if  it  takes  you  10  minutes  to  print  out  an  atten¬ 
dance  list  and  you  have  to  get  out  of  the  build¬ 
ing  right  now,”  he  states.  “And  what  if  your 
building  becomes  compromised?  If  the  list 
comes  from  another  location,  it’s  much  more 
feasible.” 


30  www.csoonline.com  January  2003 


have  to  be  able 
the  VP  of  HR.” 


to  talk 


Beyond  E-mail  Security  -  iQ.Sujtk 


-BOB  LITTLEJOHN 


f ' 

35  billion  e-mails  will  be  sent  daily 


The  events  of  September  2001  focused 
attention  on  a  nationwide  need  for 
strong  security  leadership,  a  need  Lit¬ 
tlejohn  had  seen  on  the  horizon  for  some  time. 
In  1999,  Littlejohn  designed  the  curriculum 
for  the  ISMA  Leadership  Program,  an  inten¬ 
sive  executive  development  and  leadership 
seminar  for  potential  CSOs.  The  yearlong  pro¬ 
gram,  held  at  Georgetown  University  in 
Washington,  D.C.,  focuses  on  business  skills 
like  strategic  planning  in  a  domestic  and  inter¬ 
national  business  environment,  analysis  and 
decision  making,  negotiation,  persuasive  com¬ 
munication  and  team  building. 

The  ISMA  program  may  be  aimed  at  secu¬ 
rity  executives,  but  it  doesn’t  teach  anything 
specifically  about  security.  “The  people  who 
enroll  in  the  ISMA  program  have  all  the  nec¬ 
essary  security  skills,”  Littlejohn  says.  “But 
when  you  get  up  to  the  VP  level,  it’s  a  whole 
different  ball  game. 

“To  be  an  effective  security  leader,  you  have 
to  be  able  to  talk  the  talk  with  the  CEO,  the 
CFO  and  the  VP  of  HR,”  he  says.  “Get  to  the 
table  and  make  your  voice  heard.”  The  way  to 
do  that,  Littlejohn  says,  is  to  know  what  you’re 
talking  about.  “Or  they  won’t  take  you  seri¬ 
ously,”  he  adds. 

The  recent  attention  on  security  has  not 
only  intensified  the  focus  on  it  but  has  also 
highlighted  the  distance  that  Littlejohn  thinks 
the  CSO  role  will  have  to  go  before  settling 
into  an  acceptable  state  of  effectiveness.  Ask 
him  to  elaborate  and  he  will  say  that  the  role 
of  the  executive  security  officer  is  still  in  a 
state  of  flux  that  will  require  effort  on  the  part 
of  both  companies  and  CSOs  to  resolve. 

Take  the  issue  of  the  job  title,  for  instance. 
For  most  people,  the  CSO  role  is  a  new  one, 
and  it  is  still  finding  its  place  in  companies 
that,  prior  to  9/H  or  the  Nimda  virus,  didn’t 
place  security  high  on  their  priority  list.  That’s 
the  case  mostly  with  national  companies,  Lit¬ 
tlejohn  says.  International  companies,  on  the 
other  hand,  have  focused  on  security  for  years, 
and  those  with  the  proper  perspective  on  secu¬ 


rity  have  given  executives  the  vice  president 
title.  “We  are  executives  in  the  company.  In 
Europe  right  now,  the  CSO  is  in  charge  of  the 
guards  at  the  front  desk  while  the  VP  is  direct¬ 
ing  the  security  operation,”  he  says.  “If  you’re 
going  to  talk  about  the  title,  it  should  be  VP 
and  CSO.” 

The  real  question  for  Littlejohn  is  whether 
U.S.  companies  are  ready  to  give  security  exec¬ 
utives  a  strategic  role  in  the  organization.  Ide¬ 
ally,  he  says,  the  role  needs  to  include  auditing, 
risk  management,  administration  and  finan¬ 
cials.  In  the  future,  the  role  could  morph  into 
something  like  a  chief  integrity  officer. 

“Right  now,  all  these  responsibilities  are 
spread  across  the  enterprise— integrity  is 
under  finance,  audit  is  under  operations, 
safety  is  under  risk  management,”  he  says. 
“They  could  be  bundled  together  with  one 
person  responsible  for  it  all.  That  would  have 
a  stronger  impact  on  the  business.”  A  stickler 
for  efficiency  and  communication,  he’s 
adamant  that  IT  security  should  be  included 
in  the  CSO  function’s  responsibilities,  if  not 
directly,  then  by  a  strong  dotted  line  to  the  IT 
department.  Many  investigations  overlap  with 
IT  to  some  extent,  he  says,  and  you  need  each 
other’s  support. 

Underneath  Littlejohn’s  push  for  more 
emphasis  on  leadership  and  communication 
lies  the  cold,  hard  reality  of  the  world  at  large. 
You  may  not  be  able  to  plan  for  everything,  he 
says,  but  if  you  don’t  try,  you  won’t  have  to 
worry  about  a  second  chance. 

“If  security  executives  don’t  deliver,  we’ll  be 
replaced  pretty  quickly,”  he  admits.  “That’s  just 
the  way  it  is.”  ■ 

Staff  Writer  Simone  Kaplan  can  be  reached  via  e-mail  at 
skaplan^'cxo.com. 


For  more  stories  about  security  leaders 
like  Bob  Littlejohn,  and  the  secrets  to  their 
success,  visit  CSOONLINE’S  SECURITY 
EXECUTIVE  RESEARCH  CENTER.  Go  to 
www.csoonline.com/executive. 


by  2005 


e-mail  and  business  process  security, 


organization,  and  management 


Be  Prepared  for  Tomorrow. 


iQ.Suite  -  Maximum  E-mail  Security, 


Organization  and  Management, 


*  Source:  International  Data  Corporation 


Call  Toll  Free  -  877  -  GROUP  -  55 

www.group-spftware.com 


— B  TE  C  H  N O  L O G I  E  S 

{ ‘  f  £1  Mi  \  [  \;h  y:V  :  ''H  V '  ' ■  V  • '  >  fy/'-S  '&,%  •' 

Intelligence  fctr-e'-fnail 


January  2003  www.csoonline.com  31 


Find  confidence 
in  the  midst  of  chaos. 


■*  -  Ti 


Focus  on  the  best  in  network  security, 
every  step  of  the  way. 

Start  with  a  secure  foundation. 

Our  operating  system,  IPSO,  is  built  from  the  ground  up  for 
security.  It  eliminates  many  vulnerabilities  common  to  general- 
purpose  servers,  and  also  incorporates  our  patented  IP  Clustering 
technology.  Multiple  Nokia  security  appliances  can  be  linked 
as  one,  on  the  fly,  for  new  levels  of  performance,  reliability 
and  scalability. 

Integrate  the  best  in  network  security  expertise. 

Partners  like  Check  Point  Software  Technologies,  Internet  Security 
Systems  and  F5  help  us  deliver  the  full  capabilities  of  their  VPN, 
firewall,  intrusion  protection,  and  Internet  traffic  management 
applications.  Our  continuing  deep  collaboration  also  keeps  us 
abreast  of  changing  threats  and  accelerates  the  development 
of  new  products,  to  help  our  customers  meet  both  external 
and  internal  threats  with  greater  peace  of  mind. 

Nokia  security  appliances  are  compatible  with  any 
IP  network. 

Whether  you’re  extending  VPNs  to  remote  offices,  business 
partners  and  traveling  employees,  or  improving  the  security  of 
central  offices  and  data  centers,  Nokia  security  appliances  can 
answer  your  needs.  To  download  case  studies,  specifications 
and  more,  just  visit  www.nokia.com/ipsecurity/na. 


NOKIA 

Connecting  People 


WHETHER  IT’S  DONE  BY  CUSTOMERS,  EMPLOYEES 
OR  ORGANIZED  CRIMINALS,  FRAUD  TAKES  A  BITE 

OUT  OF  BUSINESS’S  BOTTOM  LINE.  HERE’S  WHAT 
CSOs  SHOULD  BE  DOING  ABOUT  IT. 

BY  DAINTRY  DUFFY 


T  TURNS  OUT  THAT  BASES  AREN’T  THE 

After  staggering  through  a  losing  season,  the 
New  York  Mets  suffered  yet  another  indignity 
last  October  when  it  was  revealed  that  four  for¬ 
mer  Mets  employees  had  allegedly  bilked  the 
ball  club  out  of  $2  million  over  a  period  of  six 
years.  According  to  Queens  prosecutors,  the 
suspects  pulled  off  a  variety  of  cons  with  the 
assistance  of  two  accomplices  who  worked  for 
team  vendors.  By  overbilling  the  team  for  office 
supplies  such  as  copy  paper,  setting  up  bogus 
companies  and  cooking  up  kickback  schemes, 
the  sextet  netted  hundreds  of  thousands  of  dol¬ 
lars  a  year  for  supplies  that  were  never  delivered. 
The  Mets  and  Sterling  Doubleday  Enterprises, 
the  Mets  parent  company  at  the  time,  proved  to 


ONLY  THING  STOLEN  AT  SHEA  STADIUM. 

be  easy  marks.  They  were  completely  unaware 
of  the  scams,  which  dated  back  to  1994,  until  an 
internal  audit  in  2000  brought  them  to  light. 

As  a  company  whose  only  product  is  baseball, 
the  Mets  organization  provides  relatively  few 
opportunities  for  procurement  fraud,  certainly 
far  fewer  than  do  larger  corporations.  But  even 
on  a  small  scale,  fraud  can  be  incredibly  dam¬ 
aging,  and  the  Mets  are  a  good  example  of  both 
the  ease  with  which  fraud  can  be 
perpetrated  and  the  difficulty  of 
tracking  it  down.  The  “2002  Report 
to  the  Nation”  from  the  Association 
of  Certified  Fraud  Examiners  found 
that  the  average  fraud  scheme  lasts 


34  www.csoonline.com  January  2003 


IN  THIS  STORY:  How 

CSOs,  investigative  teams, 
business  leaders  and  others 
work  together  to  fight  elec¬ 
tronic  fraud 


PHOTO  BY  MICHELE  ASSEIIN 


VINCENT  DELUCA,  VP  of 
fraud  control,  security  and  risk 
management  at  MasterCard, 
says  CSOs  must  make  sure  top 
executives  are  fully  committed 
to  fraud-prevention  efforts. 


fH  ■ 
StiS 


,cMi 


Financial  Crime 


18  months  before  it's  detected,  and  that  inter¬ 
nal  controls  seldom  catch  the  crooks.  In  fact, 
according  to  the  survey  (based  on  663  re¬ 
ported  occupational  fraud  cases  that  caused 
more  than  $7  billion  in  losses),  the  top  two 
cited  means  of  detecting  a  fraud  were  a  “tip 
from  an  employee”  (26  percent)  and  “by  acci¬ 
dent”  (19  percent)— hardly  methods  on  which 
most  companies  are  willing  to  stake  their  rep¬ 
utation  or  financial  security. 

As  CSOs’  responsibilities  expand,  fraud  is  a 
problem  that  increasingly  falls  into  their  lap. 
Whether  they  lead  their  company’s  fraud  unit 
or  govern  just  a  piece  of  that  apparatus,  the 
CSOs’  expertise  with  layered  security  archi¬ 
tectures  and  forensic  tools,  and  their  under¬ 
standing  of  the  importance  of  enforced 
processes  and  procedures  make  them  invalu¬ 
able  players  in  the  battle  against  corporate 
fraud.  When  it  comes  to  fraud,  “the  CSO  is 
responsible  for  detection,  protection,  preven¬ 
tion  and  recovery  of  all  the  organization’s 
assets,”  summarizes  Vincent  DeLuca,  vice 
president  of  fraud  control,  security  and  risk 
management  for  MasterCard  International. 
But  DeLuca  stresses  that  success  in  prevent¬ 
ing  and  detecting  fraud  requires  that  CSOs 
build  strong  working  relationships  with  the 
other  key  executives  who  also  play  a  part  in 
fraud  response.  “The  CSO  must  first  align 
himself  with  the  CEO  and  senior  manage¬ 
ment,”  he  says.  “They  set  the  tone  within  the 
organization  and  [affirm]  its  commitment  to 
protecting  corporate  assets.” 

In  fact,  CSOs— as  relatively  new  corporate 
players— are  often  in  the  position  of  joining  an 
effort  already  in  progress.  Their  challenge  is  to 
figure  out  the  best  way  to  enhance  the  process 
using  their  experience. 

John  Frazzini,  a  former  special  agent  with 
the  U.S.  Secret  Service  financial  crimes  divi¬ 
sion,  believes  that  even  though  fraud-preven¬ 
tion  teams,  investigative  departments,  IT 
security  staff  and  legal  counsel  are  already 
entrenched  in  dealing  with  fraud,  there 
remains  a  crucial  role  that  the  CSO  is  well 
positioned  to  fill.  “Tearing  down  the  walls 
between  those  departments  and  getting  them 
to  work  together  is  the  most  cost-effective  way 
to  get  ahead  of  the  risk,”  says  Frazzini.  “CSOs 
should  take  the  50,000-foot  view  and  make 
sure  that,  as  the  company  moves  forward  with 
a  fraud  program,  it  does  so  with  one  voice.” 


This  story  will  look  at  the  technical  and 
organizational  challenges  of  fraud  detection 
for  CSOs,  the  relationships  they  need  to  build 
in  order  to  be  effective  and  the  best  practices 
that  some  CSOs  have  unearthed  for  tackling 
corporate  fraud  head-on. 

Culprits  and  Schemes 

The  first  thing  to  understand  about  fraud  is  its 
incredible  breadth.  Fraud  encompasses  every¬ 
thing  from  expense  account  and  procurement 
scams  to  financial  reporting  irregularities,  bid¬ 
rigging,  intellectual  property  theft  and  more. 
Furthermore,  specific  financial-service  sector 
industries  such  as  insurance  and  banking  have 
their  own  unique  strains  of  fraud  to  worry 
about  as  well. 

To  a  degree,  fraud  is  still  a  pretty  old-fash¬ 
ioned  type  of  crime.  Some  of  the  techniques 
used  in  detection  may  have  gone  high-tech, 
but  the  same  culprits  and  schemes  that  were 
popular  a  hundred  years  ago  are  still  going 
strong.  The  vast  majority  of  corporate  fraud  is 
perpetrated  by  insiders— employees  and  other 
trusted  individuals  who  exploit  their  author¬ 
ized  access  to  do  unauthorized  things.  Whether 
these  people  are  embittered,  financially 
strapped  or  just  criminally  opportunistic,  they 
trade  on  their  insider  status  by  submitting  doc¬ 
tored  purchasing  slips,  thickly  padding  their 
expenses,  setting  up  ghost  employees  or  ven¬ 
dors,  or  simply  selling  the  company’s  customer 
list  or  other  valuable  information  to  an  inter¬ 
ested  outside  party.  Unlike  the  “pump-and- 
dump”  stock  fraud  schemes  that  were  popular 
during  the  1990s  market  boom  and  the 
accounting  scandals  that  have  dominated  the 
news  in  the  past  year,  individual  expense  and 
procurement  frauds,  embezzlement  and  mis¬ 
appropriation  don’t  wax  and  wane  with  the 
fortunes  of  the  economy.  They  are  easy  to 
commit,  produce  high  returns,  are  veiy  hard  to 
detect  and  are  likely  to  fly  under  the  corporate 
radar.  Worse,  in  many  cases  they  are  tolerated 
as  a  cost  of  doing  business.  But  when  they  rise 
above  a  certain  financial  threshold,  these 
low-grade  frauds  become  a  legitimate  busi¬ 
ness  concern. 

External  frauds  may  be  less  common  than 
internal  ones,  but  the  perpetrators  are  far  more 
adept  at  using  technology.  Frazzini  notes  that 
one  of  the  largest  threats  businesses  now  face 


is  from  organized  crime  syndicates  out  of  East¬ 
ern  Europe  that  specialize  in  identity  and 
credit  card  theft  for  the  purposes  of  extortion 
or  financial  fraud.  “[Between]  15,000  and 
20,000  customer  account  records  can  be 
stolen  at  a  time,”  he  says.  “Technology  has 
given  these  criminals  the  ability  to  conduct 
mass  victimizations  because  all  the  informa¬ 
tion  is  often  stored  in  a  single  depository.” 

Not  surprisingly,  financial  services  compa¬ 
nies  are  the  biggest  targets.  Techniques  like 
“salami  slicing”  (stealing  small,  hard-to-notice 
amounts  from  many  thousands  of  accounts  on 
a  given  day)  are  profitable  scams  in  the  aggre¬ 
gate.  Credit  card  numbers  are  often  sold  in 
chat  rooms  for  $2.50  each;  a  few  dollars  more 
can  get  you  enough  information  on  a  person  to 
perpetrate  identity  theft.  “Many  of  the  coun¬ 
tries  [where  this  is  done]  don’t  even  have 
cybercrime  laws,”  says  Tom  Kellerman,  a  data 
risk-management  specialist  for  the  financial 
strategy  and  policy  sector  of  the  World  Bank. 
“From  their  perspective,  we  are  the  wealthy 
elite,  we  created  the  game  of  capitalism,  and 
now  we’re  seeing  the  dark  side  of  it.” 

Not  only  do  CSOs  have  to  stay  up  on  the 
various  flavors  of  fraud,  old  and  new,  but  they 
are  also  under  increasing  pressure— especially 
in  financial  services— to  comply  with  such 
government  regulations  as  the  USA  Patriot 
Act.  This  omnibus  antiterrorism  law  man¬ 
dates  that  financial  institutions  verify  the  iden¬ 
tity  of  anyone  seeking  to  open  an  account, 
maintain  records  of  their  identification  and 
check  all  such  people  against  the  “denied  per¬ 
sons”  list  of  suspected  terrorists.  That  has 
added  another  layer  of  complexity  to  corporate 
antifraud  measures  in  these  industries. 


How  CSOs  Plan 


CSOs’  reporting  relationships  may  define  their 
degree  of  responsibility  for  fraud  detection 
and  prevention.  A  CSO  who  reports  to  IT  is 
likely  to  govern  the  technical  side  of  a  fraud 
investigation,  whereas  a  CSO  who  reports  to 
the  legal,  risk-management  or  CEO’s  office 
may  handle  the  investigation  from  both  the 
business  and  IT  angles.  Rick  Mercuri,  vice 
president  and  corporate  security  director  for 
Citizens  Financial  Group  (the  parent  com¬ 
pany  of  Citizens  Bank),  has  worked  in  fraud 


36  www.csoonline.com  January  2003 


To  be  truly  effective, 
says  RICK  MERCURI, 

VP  and  corporate 
security  director  for 
Citizens  Financial 
Group,  a  fraud  unit 
needs  senior-level 
members  who  have  the 
clout  to  make  decisions. 


investigations  for  19  years.  At  Citizens,  he  and 
his  group  of  25  investigators  are  responsible 
for  investigating  all  fraud  incidents  and  the 
tracking,  statistical  reporting  and  trend  analy¬ 
sis  of  fraud  across  the  company.  That  is  in 
addition  to  his  role  in  managing  the  com¬ 
pany’s  physical  security.  Mercuri  stakes  a  large 
part  of  his  unit’s  success  on  its  independence 
from  business  functions  that  may  hamper 
fraud  investigations.  He  reports  to  the  audit¬ 
ing  group  and  then  ultimately  to  the  group 
executive  of  risk  management.  Both  of  those 
entities  are  historically  autonomous.  “In  my 
career,  I’ve  seen  cases  where  the  investigation 
group  reported  to  HR  or  another  business 
unit  that  had  too  much  of  a  vested  interest,”  he 
says.  “I’ve  seen  investigations  that  were  hin¬ 
dered,  where  there  was  too  much  oversight 
or  involvement.  With  straight-line  reporting 
to  auditing  and  risk  management,  we  have 
free  reign  over  investigations.” 

In  order  to  fulfill  their  security  responsi- 

PHOTO  BY  FURNALD/GRAY 


bilities  (which,  like  fraud,  touch  almost  all 
aspects  of  the  business),  most  CSOs  have 
already  started  building  strong  relationships 
with  the  so-called  “other  Os”— the  top  execu¬ 
tives  of  the  various  business  functions  that 
are  generally  represented  in  the  fraud  unit. 
These  established  relationships  place  the  CSO 
in  the  unique  position  of  being  the  only  exec¬ 
utive  with  the  necessary  technical  and  busi¬ 
ness  perspectives  to  knit  together  this  diverse 
group  of  corporate  characters. 

At  MassMutual  Financial  Group,  a  special 
investigative  unit  (SIU)  is  responsible  for 
policing  both  internal  and  external  fraud. 
CISO  Bruce  Bonsall  is  a  member  of  the 
2-year-old  SIU  team.  He  coordinates  the  secu¬ 
rity  function’s  active  collaboration  with  the 
other  members  of  the  SIU,  who  are  from 
internal  audit  and  the  legal  department.  The 
group  meets  quarterly  to  discuss  new  fraud 
trends  and  the  investigative  process. 

“Don’t  try  to  go  it  alone,”  Bonsall  advises 


security  executives.  “Good  relationships  with 
audit  departments  and  legal  people  are  criti¬ 
cal  because  at  some  point  something  bad  will 
happen,  and  [by  then]  it’s  too  late  to  start 
thinking  about  how  you'll  handle  those  events 
as  a  group.” 

The  CSO  must  draw  on  different  players 
for  different  objectives.  HR  and  legal  repre¬ 
sentatives  will  help  determine  how  back¬ 
ground  checks  and  employee  monitoring 
should  be  conducted,  facilitate  fraud-related 
terminations,  and  develop  policy  and  legal 
parameters  for  employee  conduct  and  inves¬ 
tigation  procedures.  The  public  relations  and 
general  counsel  offices  will  help  strategize  over 
what  recourse  the  company  will  pursue  when 
fraud  is  discovered,  whether  to  bring  in  law' 
enforcement,  and  when  and  how  instances  of 
fraud  are  announced  to  customers  and  the 
public.  The  IT,  security  and  audit  team  mem¬ 
bers  will  be  the  corporate  detectives  who 
undertake  the  technical  and  physical  sleuthing 

January  2003  www.csoonline.com  37 


Financial  Crime 


necessary  to  detect,  contain  and  build  a  body 
of  evidence  to  prosecute  fraud. 

Virtually  all  accounting  and  financial  con¬ 
trol  systems— the  candy  stores  of  the  fraud 
set— are  computerized.  CSOs  already  have  the 
necessary  understanding  of  the  overall  secu¬ 
rity  architecture  and  the  controls  it  has  in 
place;  they  can  take  the  leadership  role  in 
determining  where  those  controls  may  have 
broken  down  and  allowed  fraud  to  occur. 
Their  experience  with  incident-response  plan¬ 
ning  around  security  breaches  suits  them  well 
to  drive  the  development  of  similar  plans  for 
incidents  of  fraud.  A  fraud-response  effort 
will  have  to  formulate  how  incidents  should 
be  handled,  the  mechanism  for  communicat¬ 
ing  those  decisions  through  the  executive 
branches  and  procedures  for  documenting 
the  plan  so  that  when  an  incident  occurs  there 
can  be  a  rapid,  decisive  response.  The  plan 
should  identify  the  “go  to”  people  who  are 
tasked  with  responding  to  each  aspect  of  an 
incident.  It  should  also  define  the  appropriate 
procedures  for  conducting  a  fraud  investiga¬ 
tion  so  that  evidence  that  is  pulled  off  corpo¬ 
rate  networks  isn’t  tainted  in  the  process. 


How  Technology 
Can  Help 

Technology  is  an  important  part  of  a  com¬ 
pany’s  fraud  prevention  and  detection  pro¬ 
gram,  but  the  good  guys  aren’t  the  only  ones 
exploiting  its  capabilities.  Crooks  are  often 
among  the  earliest  adopters  of  new  technology 
(remember  the  fondness  of  drug  dealers  for 
pagers  back  in  the  1980s?).  Frazzini  notes 
that  the  drug  cartels  alone  have  invested 
$1  billion  in  technology.  “Sleep  with  one  eye 
open  if  you’re  relying  on  technology,”  he  cau¬ 
tions.  “[Criminals]  will  invest  money,  time 
and  energy  to  beat  you  at  the  technology 
game.”  CSOs  need  to  view  technology  as  just 
part  of  their  defense  rather  than  a  panacea. 

Companies  can  either  buy  customizable 
software  or  write  their  own  rules-based  pro¬ 
grams  that  analyze  network  activity  for  specific 
indicators  of  fraud.  For  example,  if  corporate 
policy  decrees  that  all  purchases  above 
$20,000  require  approval,  then  a  program 
that  flags  purchase  orders  for  amounts 
between  $19,000  and  $20,000  could  be  use¬ 
ful  in  fraud  monitoring.  Similarly,  a  program 


38  www.csoonline.com  January  2003 


PHOTO  BY  FURNALD/GRAY 


could  compare  vendor  addresses  with  em¬ 
ployee  addresses  to  detect  “ghost”  vendors. 

The  insurance  industry  is  a  frequent  target 
of  fraudsters.  According  to  the  Insurance 
Information  Institute,  property  and  casualty 
insurers  alone  pay  about  $30  billion  annu¬ 
ally  in  fraudulent  claims  (which  includes  the 
administrative  and  investigative  costs  of 
fraud).  This  leads,  as  we’re  often  reminded,  to 
higher  premiums  for  consumers. 

To  drive  down  the  cost  of  fraud  in  its  auto 
and  home  division,  MetLife  has  teamed  with 
Computer  Sciences  to  develop  an  early  fraud- 
detection  system.  The  program,  called  @First, 
combines  rules-based  technology  with  pre¬ 
dictive  modeling  to  identity  possible  fraudu¬ 
lent  activity.  Previously,  MetLife  Auto  and 
Home  relied  exclusively  on  the  company’s 
claims  representatives  to  spot  possible  fraud. 
But  picking  up  on  many  of  the  common  red 
flags  (for  example,  an  individual  who  files  a 
claim  within  the  first  30  days  after  obtaining 
a  policy)  required  that  claims  reps  note  every 
policy’s  inception  date— which  didn’t  always 
happen.  A  claim  that  came  through  on  a  Fri¬ 
day  before  a  holiday  weekend,  or  at  some 
other  time  when  reps  were  unusually  dis¬ 
tracted,  could  slip  through  unnoticed. 

John  Sargent,  manager  of  the  corporate  SIU 
for  MetLife  Auto  and  Home,  wanted  to  pro¬ 
vide  a  safety  net.  The  @  First  system  scours 
claims  for  signs  of  possible  fraud:  vehicle  ID 
numbers  and  addresses  similar  to  those  of 
other  claimants,  drop  boxes  that  could  indicate 
a  fictitious  address,  or  the  names  of  doctors 
and  auto  body  shops  that  have  been  previously 
sanctioned.  Using  predictive  modeling,  the 
program  looks  at  historical  patterns  of  fraud 
and  scores  each  claim  for  characteristics  that 
in  the  past  have  indicated  fraud.  MetLife  is 
currently  using  a  test  version  of  the  technology 
and  expects  to  have  the  software  fully  rolled  out 
by  the  end  of  this  month.  To  date,  Sargent  esti¬ 
mates  as  much  as  a  10  percent  increase  in  the 
flagging  of  suspicious  claims.  But  he  cautions 
that  even  the  best  technology  won’t  replace 
the  skills  of  a  seasoned  claims  rep.  “No  system 
captures  a  reluctant  voice  on  the  phone  or 
somebody  who  can  never  be  contacted  by 
phone  but  is  able  to  call  the  claim  rep,”  he  says. 
“We  rely  on  their  gut  instincts.” 

Many  fraud-detection  tools  use  link  analy¬ 
sis  or  neural  networks  to  reveal  the  hidden 


connections  between  pieces  of  information 
that,  in  combination,  may  indicate  fraud. 
Credit  card  companies  rely  on  these  kinds  of 
tools  to  help  spot  suspicious  transactions.  One 
of  the  most  famous  such  products  is  the  Fal¬ 
con  Fraud  Manager  from  HNC  software  (a 
subsidiary  of  Fair,  Isaac  &  Co.).  Falcon  is  a 
neural  network  system  used  by  85  percent  of 
U.S.  credit  card  issuers.  It  pools  large  volumes 
of  historical  purchasing  data  about  cardhold¬ 
ers  and  analyzes  it  to  establish  transaction 
and  spending  patterns  so  that  exceptions  to 
those  patterns  can  be  discerned.  The  software 
looks  at  how  each  customer  spends  against 
how  risky  that  spending  is.  Using  a  mathe¬ 
matical  algorithm,  it  computes  the  likelihood 
that  a  transaction  is  fraudulent  on  a  scale  from 
1  to  999 ■  For  example,  if  a  consumer  histori¬ 
cally  uses  her  card  once  a  week  to  purchase  gas 
and  groceries  in  a  New  Jersey  ZIP  code,  a 
transaction  posted  for  a  gas  purchase  in  Ohio 
would  trigger  a  slightly  elevated  fraud  score. 
Conversely,  a  big-ticket  Ohio  purchase  of  an 
easily  liquidated  item  like  jewelry  would  pro¬ 
duce  a  much  higher  score.  Each  card  issuer 
determines  the  threshold  at  which  it  will  ini¬ 
tiate  a  fraud  response— for  example,  request¬ 
ing  the  sales  clerk  to  check  the  cardholder’s  ID 
or  referring  the  case  to  a  fraud  analyst. 

Technology  has  made  a  huge  difference  in 
fraud  detection  for  companies  like  Master- 
Card,  according  to  DeLuca.  “Before,  cards 
would  run  seven,  10  or  even  30  days  before  a 
customer  got  their  statement  and  realized  they 
didn’t  make  a  transaction,”  he  says.  “Globally, 
fraud  as  a  percentage  of  our  transactions  is 
down  in  2002  compared  with  2001." 

Getting  the  Drop 
on  Fraud 

The  challenges  of  fraud  are  unending.  Fraud¬ 
sters  are  constantly  alert  for  new  and  ingen¬ 
ious  techniques.  “As  we  get  up  every  morning 
to  go  to  our  jobs,”  says  Sargent,  “ they’re  getting 
up  to  go  to  theirs.  And  their  job  is  to  steal 
money  from  us.”  Given  the  broad  spectrum  of 
ways  to  conceal  fraudulent  acts  across  an 
enterprise,  CSOs  need  to  take  high-level  steps 
to  strengthen  corporate  defenses. 

The  first  is  to  be  proactive  rather  than  reac¬ 
tive.  Frazzini  recommends  that  CSOs  get 
involved  in  industry  groups  and  fraud-buster 


January  2003  www.csoonline.com  39 


Financial  Crime 


organizations  to  pick  up  best  practices  that 
they  can  bring  back  and  share  within  their 
company.  One  such  group  is  the  Financial 
Services  Roundtable,  a  Washington,  D.C., 
trade  association  for  the  banking,  insurance 
and  securities  industries  that  has  a  technology 
unit  known  as  Bits.  Within  Bits  is  a  fraud 
working  group  where  member  companies  can 
share  experiences  and  glean  advice.  In  addi¬ 
tion,  the  Association  of  Certified  Fraud  Exam¬ 
iners  runs  seminars  and  offers  continuing 
education  for  fraud  examiners. 

Technology  can  also  help  make  you  more 
proactive.  Systems  that  provide  better  real¬ 
time  visibility  of  fraud  and  fraud  losses  can 
allow  the  business  to  get  the  jump  on  fraud 
before  problems  escalate.  At  Citizens  Finan¬ 
cial  Group,  Mercuri  depends  on  his  fraud- 
management  system  for  an  actionable  view 
of  the  fraud  landscape.  With  big-picture 
information,  he  says,  “you  can  do  the  trend 
analysis,  see  the  root  causes  and  act  on  them.” 

Having  clearly  communicated  processes 
and  procedures  is  an  essential  accompani¬ 
ment  to  technology.  CSOs  should  spearhead  a 
fully  developed  fraud  plan  that  gets  input  and 
buy-in  from  all  the  business  units  and  top 
executives.  “You  would  be  shocked  to  find  out 
how  many  companies  don’t  have  protocols  for 
reporting  illegal  or  improper  activity,”  says 
Ed  Rial,  a  former  federal  prosecutor  who  led 
the  Brooklyn  U.S.  Attorney’s  fraud  unit  and  is 
now  a  principal  with  the  Forensic  &  Inves¬ 
tigative  Services  Group  at  Deloitte  &  Touche 
in  New  York.  “You’ve  got  to  get  the  informa¬ 
tion  to  the  right  people  as  quickly  as  possible. 
I’ve  been  on  investigations  where  we’ve  been 
given  the  name  of  a  fraud  point-person  and 
they’ll  say,  ‘Oh,  I  don't  do  that!”’ 

CSOs  may  want  to  strategize  with  the  gen¬ 
eral  counsel  and  other  executives  over  what 
the  company’s  electronic  records  retention 
policy  should  be,  paying  particular  attention 
to  the  system  log  files  that  track  all  network 
activity.  The  resulting  policy  should  be  worked 
into  the  fraud  plan.  Additionally,  whatever 
plans  the  company  develops  must  be  tested. 
“You  need  to  war-game  and  test  against  the 
system,”  says  World  Bank’s  Kellerman.  “You 
can’t  presume  that  you  are  invulnerable.” 

Assembling  the  right  staff  for  a  fraud  inves¬ 
tigation  unit  is  critical;  having  a  keen  under¬ 
standing  of  finance  or  the  forensic  skills  to 


track  down  a  security  breach  are  not  enough 
on  their  own.  “All  the  technology  in  the  world 
is  only  as  good  as  the  people  who  use  it,”  says 
MassMutual’s  Bonsall.  “Most  of  the  work  is 
done  by  people  thinking  outside  the  box,  fol¬ 
lowing  hunches  and  carefully  following  pro¬ 
cedures.”  Mark  Rasch,  former  head  of  the  U.S. 
Justice  Department’s  computer  crimes  unit 
and  currently  senior  vice  president  and  chief 
security  counsel  with  managed  security  serv¬ 
ice  provider  Solutionary,  recommends  that 
CSOs  look  for  people  who  have  experience 
conducting  internal  investigations,  are  knowl¬ 
edgeable  about  the  various  guises  that  fraud 


can  assume  and  are  discreet— ideally  with 
some  law  enforcement  experience.  Individu¬ 
als  with  that  background  are  good  at  inter¬ 
viewing  people  and  making  assessments  based 
on  body  language  and  other  subtle  cues.  Just 
because  somebody  specializes  in  pulling  infor¬ 
mation  off  a  computer  network  doesn’t  mean 
that  they  are  qualified  to  pull  that  same  evi¬ 
dence  and  information  out  of  a  suspect. 

Investigative  units  need  clout  as  well. 
They’ll  be  ineffective  if  they’re  made  up  of  low- 
level  managers  who  lack  decision-making 
authority.  Mercuri  has  seen  companies  where 
fraud  working  groups  or  committees  sit 
around  and  discuss  ideas  and  possible  solu¬ 
tions,  but  then  must  run  to  their  managers 
before  anything  can  be  approved.  At  Citizens, 
the  fraud  committee  consists  of  senior  execu¬ 
tives  who  can  implement  their  decisions.  Giv¬ 
ing  the  group  further  credibility  is  the  fact 
that  it  is  chaired  by  the  company’s  vice  chair¬ 
man.  Mercuri  credits  the  seniority  of  the 
group  with  the  company’s  success  in  reducing 
fraud.  “If  there’s  a  difference  of  opinion,  we 
hash  it  out  right  there  in  that  room,”  says  Mer¬ 
curi.  “And  once  we  come  up  with  a  recom¬ 


mendation,  we  can  act  on  it  quickly.” 

Beyond  the  fraud  investigation  unit,  the 
CSO  can  make  a  positive  difference  by  evan¬ 
gelizing  to  employees  about  the  threats  fraud 
poses.  At  companies  like  MassMutual,  where 
most  employees  don’t  encounter  fraud  on  a 
daily  basis,  Bonsall  often  acts  as  the  harbinger 
of  caution  and  awareness.  Even  when  fraud 
occurs  at  another  company,  he  talks  to  Mass- 
Mutual  employees  about  it,  making  sure  they 
understand  the  vulnerability  that  was  exploited 
and  the  preventive  measure  that  should  be 
taken  in  response.  “We  need  them  to  stop 
thinking  like  good,  honest  people  and  to  start 


[thinking  like]  the  bad  guys,”  he  says. 

The  other  challenge  that  Bonsall  often 
encounters  is  that  employees  who  suspect 
fraud  is  being  committed  are  reluctant  to  bring 
their  suspicions  to  the  fraud-investigation  unit. 
To  counter  this  reticence,  he  markets  the  fair¬ 
ness  and  discretion  of  his  unit  to  the  company 
at  large,  hoping  to  ensure  that  people  will  come 
forward.  “People  like  to  try  and  take  care  of 
their  dirty  laundry  on  their  own,”  he  says. 
Often,  employees  will  attempt  to  prove  an 
instance  of  fraud  themselves  before  bringing  it 
to  Bonsall’s  group— a  habit  that  he  is  trying  to 
stamp  out.  “I  would  rather  that  people  bother 
us  and  have  it  turn  out  to  be  nothing  than  have 
it  be  something  and  then  not  have  the  evi¬ 
dence  maintained  to  prove  it.”  ■ 

Senior  Editor  Daintry  Duffy  can  be  reached  via  e-mail  at 
dduffy@cxo.com. 


Did  you  know  that  nearly  one-third  of  online 
merchants  expect  to  be  victims  of  fraud  this 
year?  For  more  SECURITY  NUMBERS,  visit 
CSOonline’s  Metrics  section.  Go  to 

www.csoonline.com/metrics. 


Time-tested  flavors  of 
fraud  are  easy  to  commit, 
hard  to  detect,  yield  high 
returns  and  fly  below  the 
corporate  radar. 


40  www.csoonline.com  January  2003 


CIO  Magazine’s  11th  Annual 


EnterpriseValue  Retreat  & 

Awards  Ceremony 2003 

JANUARY  26-28, 2003,  MARRIOTT  DESERT  SPRINGS, 

PALM  DESERT,  CALIFORNIA 


Creating  IT  Value 

In  today’s  tough  economy,  everyone 
from  the  CIO  to  the  chairman  of  the 
board  demands  full  value  from  their 
investments  in  IT.  But  how  do  you 
agree  on  a  definition  of  value?  How  do 
you  communicate  it  throughout  the 
organization?  And  how  do  you  make 
sure  you  deliver  on  it?  We  bring  CIOs 
and  senior  IT  and  business  executives 
together  to  get  real-world  answers. 


For  up-to-the-minute 
agenda  updates  and  to 
register  for  this  event,  visit 
www.cio.  com/conferences 
or  call  800  355-0246. 


You’ll  have  the  opportunity  to: 

■  Meet— and  learn  from— this 
year’s  award  winners 

■  Roll  up  your  sleeves  with  an 
all-new  business/IT  case  study 

■  Explore  new  ideas  from 
thought-provoking  speakers 

■  Network  with  your  peers  at 
the  CIO  Golf  Tournament  and 
Super  Bowl  XXXVI I  Party 


The  Resource  for 
Information  Executives 


CIO  Magazine’s  11th  Annual 

Enterprise\alue  Retreat  & 

JANUARY  26-28,  2003,  MARRIOTT  DESERT  SPRINGS,  PALM  DESERT,  CALIFORNIA 


SUNDAY,  JANUARY  26 

8:00  AM-1:00  PM 

Golf  Tournament 

3:00  PM-7:00  PM 

Registration  &  Super  Bowl  XXXVII 
Party 

7:00  PM-9:00  PM 

Dessert  Reception  &  Golf  Awards 

MONDAY,  JANUARY  27 

7:00  AM-8:00  AM 

Networking  Breakfast 

8:00  AM-8:15  AM 

Welcome 

ABBIE  LUNDBERG 

Editor  in  Chief 
CIO  Magazine 

8:15  AM-8:45  AM 

Opening  Keynote: 

The  Value  Proposition 

GREGOR  BAILAR 

CIO  Enterprise  Value 
Awards  Judge,  and 
Executive  Vice  President 
&  CIO  Capital  One 

How  do  we  determine  “value?”  Direct, 
measurable  financial  ROI  is  only  one 
way— and  may  not  be  the  most  important 
measure  of  a  new  business  initiative’s 
success.  Bailar  has  served  as  a  judge  for 
the  Enterprise  Value  Awards  for  the  past 
four  years.  He  was  executive  vice  president 
and  CIO  at  Nasdaq,  and  vice  president  of 
advanced  development  for  global  corpo¬ 
rate  banking  at  Citicorp  N.A.  These  experi¬ 
ences  have  given  him  broad  insights  into 
how  the  definition  of  value  has  shifted  over 
the  years,  and  if  that  shift  continues  to  be 
reflected  in  this  year’s  winners. 

8:45  AM-10:30  AM 

Case  Study:  Don’t  Just 
Lead,  Govern:  Effective 
IT  Governance 

PETER  WEILL 

Retreat  Moderator  and 
Director,  Center  for 
Information  Systems  Research 
MIT  Sloan  School  of  Management 


IT  governance  is  the  decision  rights  and 
accountability  framework  that  can  ulti¬ 
mately  result  in  maximizingthe  value  of  IT 
throughout  the  enterprise.  Effective  IT 
governance  encourages  and  leverages  the 
ingenuity  of  all  the  people  in  the  organiza¬ 
tion— not  just  the  leaders— while  ensuring 
compliance  with  the  organization’s  overall 
vision  and  goals.  Weill  will  guide  us 
through  a  real-world  case  study,  and 
present  findings  derived  from  a  new  study 
of  265  enterprises  in  23  countries.  Retreat 
participants  will  then  form  small  working 
groups  over  lunch  to  further  analyze  the 
case,  and  will  present  their  own  findings 
and  recommendations  to  the  whole 
audience  Tuesday  morning. 

10:30  AM-11:00  AM 

Coffee  Break 

11:00  AM-12:45  PM 

Corporate  Partner  Industry  Briefings 

1:00  PM-3:00  PM 

Lunch  &  Case  Study 
Workgroup  Breakouts 

3:00  PM-3:30  PM 

Break 

3:30  PM-4:15  PM 

Enterprise  Value  Award  Winner 
Presentation:  U.S.  Securities  & 
Exchange  Commission  (SEC) 

KENNETH FOGASH 

Acting  Associate 
Executive  Director  &  CIO 

RICHARD  HEROUX 

EDGAR  Program 
Manager 

Moderator: 

MADELINE  WEISS 

Enterprise  Value  Review 
Board  Member  &  Presi¬ 
dent,  Weiss  Associates 

The  SEC’s  goal:  automated 
quick  and  accurate  receipt,  processing 
and  dissemination  of  financial  disclosure 
information  filed  with  the  SEC  by  public 
companies.  SEC  executives  share  the 
outcome:  their  Electronic  Data  Gathering, 
Analysis  and  Retrieval  (EDGAR)  system. 


4:15  PM-5:00  PM 

Enterprise  Value  Award 
Winner  Presentation: 

Health  Decisions 

RICK  FARRIS 

CTO 

MICHAEL 
ROSENBERG,  M.D. 

President  &  CEO 

Moderator: 

SUSAN  CRAMM 

Enterprise  Value  Review 
Board  Member  &  President, 
Valuedance 

Health  Decisions  clinical  and  IT  executives 
offer  lessons  learned  from  their  Clinical 
Trials  Management  System,  and  discuss 
its  potential  impact  on  the  process  of 
evaluating  new  drugs. 

5:00  PM-6:30  PM 
Networking  Reception 

Exchange  views,  best  practices  and 
challenges  with  your  peers  in  a  relaxed 
environment. 

TUESDAY,  JANUARY  28 

7:00  AM-8:00  AM 

Breakfast  &  Informal  Discussion 
Roundtables 

Join  your  peers  and  CIO  magazine  editors 
in  informal  roundtable  discussions  on 
current  technology  and  business  issues. 

8:00  AM-8:15AM 

Welcome  Back 
PETER  WEILL 

8:15  AM-9:15  AM 
Workgroup  Presentations 

Representatives  from  yesterday's  case 
study  workgroups  present  their  findings 
and  recommendations  to  their  peers. 

9:15  AM-10:15  AM 

Managing  the  IT  Portfolio 
PETER  WEILL 

Just  like  any  other  investment  portfolio, 
the  IT  portfolio  must  be  balanced  to 
achieve  alignment  with  the  business 


strategy  and  the  desired  combination  of 
short-  and  long-term  payoff.  Weill 
describes  benchmarks  of  IT  portfolios, 
uses  video  interviews  with  IT  and  business 
executives  from  UPS  to  illustrate  how 
significant  value  is  generated,  and  shows 
how  some  firms  were  able  to  achieve  up 
to  a  40%  premium  return  on  their  IT 
investments. 

10:15  AM-10:45  AM 

Coffee  Break 

10:45  AM-11:30  AM 

Enterprise  Value  Award  Winner 
Presentation:  University  of  Illinois 
Medical  Center  at  Chicago 

JOY  KEELER 

Associate  Vice 
Chancellor  &  CIO 

CHARLES  L.  RICE,  M.D. 

Vice  Chancellor  for 
Health  Affairs 

Moderator: 

JIM  MCGEE 

Enterprise  Value  Review 
Board  Member  &  Clinical 
Professor  of  Technology 
and  Electronic 
Commerce,  Kellogg 
School  of  Management 

IT  and  business  executives  discuss  how 
their  Gemini  System  enables  electronic 
health  records  to  replace  all  paper  dealing 
with  patient  care,  integrate  multiple 
vendor  products  into  a  single-user  inter¬ 
face,  and  provide  ubiquitous  access 
(including  Wi-Fi)  to  caregivers. 

11:30  AM-12:00  PM 

Special  Address 
ROBERTA. 

McCORMICK 

Chairman  &  CEO, 

SAVVIS 

12:00  PM-12:45  PM 

Corporate  Partner  Industry  Briefings 

12:45  PM-1:45  PM 

Networking  Lunch 


2:00  PM-2:45  PM 

Enterprise  Value  Award 
Winner  Presentation: 

Con-Way  Transportation 

JACQUELYN 
BARRETTA 

Vice  President, 

Information  Systems 

MICHAEL  KUCINSKI 

Director  of  Linehaul 
Operations 

Moderator: 

RICK  PASTORE 

Deputy  Editor,  CIO  Magazine 

Con-Way  IT  and  business  executives  share 
their  experiences  developing  and  imple¬ 
menting  their  award-winning  Linehaul 
Automation  system,  and  discuss  the 
benefit  to  them,  their  employees  and  their 
customers. 

2:45  PM-3:30  PM 

Enterprise  Value  Award  Winner 
Presentation:  The  Wharton  School  of 
the  University  of  Pennsylvania 

gerry  McCartney 

CIO  &  Associate  Dean 

Moderator: 

MADELINE  WEISS 

Enterprise  Value  Review 
Board  Member  &  Presi¬ 
dent,  Weiss  Associates 

Academic  and  IT  executives  at  The  Whar¬ 
ton  School  set  out  to  develop  an  Internet- 
based  research  data  service  for  use  by 
their  own  faculty  and  students.  They 
discuss  how  the  resulting  system— 
Wharton  Research  Data  Services 
(WRDS)— gave  them  a  whole  new  busi¬ 
ness  model. 


3:30  PM-4:30  PM 

Closing  Keynote: 
Technology,  Value... 
&  Values 

JARON  LANIER 

Computer  Scientist, 
Artist  &  Author 


Lanier’s  wide-ranging  interests  and 
considerable  talents  have  earned  him 
recognition  in  seemingly  disparate  fields, 
including  virtual  reality,  visual  arts, 


software  simulations  and  music.  Here,  we 
take  advantage  of  his  reflections  on 
technology,  society  and  humanity:  Tech¬ 
nology  has  indeed  generated  much  value 
for  business— but  has  it  contributed  much 
toward  our  values? 

4:30  PM-4:45  PM 

Retreat  Summary  &  Reflection 

PETER  WEILL 

4:45  PM-5:30  PM 

Reception  with  Jaron  Lanier 

7:30  PM-9:30  PM 

Dinner  and  Enterprise  Value  Awards 
Ceremony 

Put  on  your  evening  wear  and  join  your 
peers,  CIO  staff  and  corporate  partners  as 
we  celebrate  the  winners  of  this  year’s 
Enterprise  Value  Awards. 

9:30  PM-11:00  PM 

Post-Awards  Dessert  Reception 
&  Party 

Dance  the  night  away— or  just  mingle  with 
colleagues  old  and  new  as  we  bring  this 
year’s  Retreat  to  a  close. 


The  Enterprise  Value  Awards  Ceremony 
is  proudly  underwritten  by 

ZSsSrtVV/S 

The  Network  that  powers  Wall  Street^ 


Sponsors: 


Legendary  Reliability"' 


mvensys  ^ 

POWERWARE 


And  Presented  by 


The  Resource  for  Information  Executives 


To  err  is  human.  But  can  you  really  forgive  the  security 
disasters  a  careless  employee  might  bring  to  your 
company?  Here’s  how  to  teach  users  that  they’re  your 
company’s  best  defense  against  information  security 
breaches.  By  Meg  Mitchell  Moore 


A  COMPUTER  PASSWORD  IS  TACKED  UP  CASUALLY 
on  the  cubicle  wall.  A  door  out  back  is  wedged 
open  during  a  quick  cigarette  break.  A  laptop 
is  left  carelessly  behind  in  a  taxi  ride  to  the  air¬ 
port.  And  suddenly  it  doesn’t  matter  how  good  your  com¬ 
pany’s  security  system  is.  It  has  just  succumbed  to  human 
failure. 

“I  can  have  all  the  gadgets  in  the  world,”  says  Chris  Apgar, 
data  security  and  HIPAA  compliance  officer  for  Providence 
Health  Plans,  “but  if  people  don’t  understand  the  basics— like 
don’t  send  things  over  the  Internet,  and  make  sure  your  files 
are  put  away— well,  I  can  spend  millions  on  security,  and  it 
won’t  do  any  good.” 

And  so  it  goes  with  corporate  security.  People  get  busy.  Or 
distracted.  Or  careless.  Or  downright  mali¬ 
cious.  In  fact,  if  there’s  one  thing  about  which 
people  in  the  security  field  readily  agree,  it’s 
that  weaknesses  in  user  practices  pose  a  big¬ 
ger  threat  to  an  organization’s  security  than 
any  vulnerabilities  in  technology  do. 

“The  best  technology  can  always  be  cir¬ 


cumvented  by  an  employee,”  says  Gary  Morse,  president  of 
security  consultancy  Razorpoint  Security  Technologies.  ‘You 
can  have  the  best  security  policy  in  the  universe,  but  people 
just  get  busy.” 

Without  a  doubt,  the  employee  is  often  the  weakest  link 
in  the  security  chain.  “People  think,  It’s  just  data;  it’s  not 
really  important,”  says  Thomas  Luce,  former  CSO  of 
Rochester  Health  Care  Information  (RHI)  Group  and  now 
an  independent  security  consultant.  “They  don’t  understand 
the  damage  they  could  do,  especially  in  health-care  and 
financial  services  companies.” 

And  so  a  solid  recipe  for  a  truly  effective  security  strategy 
needs  to  include  two  parts  common  sense— and  a  certain 
amount  of  change  management.  “Security  is  not  simply  a 
piece  of  technology,”  says  Apgar.  “It’s  a  cul¬ 
ture  and  a  process  and  a  procedure  and  an 
indoctrination.” 

“An  organization’s  technology  is  only  as 
strong  as  the  people  behind  it,”  adds  Roger 
Hughes,  president  of  Data  Security  Auditors, 
an  independent  auditor.  “Systems  and  pro- 


IN  THIS  STORY:  Howto 
make  an  effective  cyber¬ 
security  policy  ■  Simple 
tips  for  better  passwords 
■  The  pros  and  cons  of 
using  scare  tactics 


ILLUSTRATIONS  BY  CHRISTIAN  NORTHEAST 


January  2003  www.csoonline.com 


Employee  Education 


cesses  are  built  by  employees."  Which  makes  it 
imperative  that  you  work  to  change  the  think¬ 
ing  in  your  organization  from  “Nothing  bad 
will  happen  here"  to  “If  I  share  my  password, 
this  can  happen,”  or  “If  I  leave  an  area  unse¬ 
cured,  that  can  happen.” 

The  biggest  challenge  facing  the  security 
industry  is  knowing  how  to  transform  an  orga¬ 
nization’s  users  from  its  biggest  vulnerability 
into  the  first  line  of  defense.  The  bad  news  is 
that  it’s  not  going  to  be  easy.  The  good  news 
is  that  it’s  not  going  to  be  impossible.  Here  are 
three  steps  to  get  started. 

Step  One:  Develop  a 
Written  Security  Policy 

Although  it  may  seem  like  a  painfully  obvious 
omission,  the  truth  is  that  many  companies 
have  no  real  security  policy.  And  of  the  policies 
that  do  make  it  onto  paper,  many  go  the  way 
of  screenplays  written  by  struggling  writers— 
passed  around  a  lot,  occasionally  asked  after 
but  never  really  read.  “The  omission  of  a  for¬ 
mal  security  training  scheme  is  the  norm,” 
says  Michael  Casper,  information  security  offi¬ 
cer  at  Wachovia  Bank.  “So  simply  having  for¬ 
mal  training  materials  and  implementing 
them  is  paramount  to  the  beginning  of  secu¬ 
rity  education  success.” 

An  effective  security  policy  must  first  of  all 
be  put  in  writing.  And  in  doing  so,  it  should 
clearly  spell  out  every  last  detail  of  company 
practices,  such  as  how  information  technology 
employees  should  identify  themselves  when 
contacting  a  remote  user  about  a  technology 
problem,  what  types  of  e-mail  are  appropriate 


and  how  often  users  should  reset  their  pass¬ 
words.  In  addition  to  emphasizing  security 
inside  the  building,  a  security  policy  should 
also  address  the  dangers  that  lurk  outside- 
including  the  risks  of  using  laptops  on  busi¬ 
ness  trips  or  carrying  data  on  PDAs. 

“It  all  boils  down  to  a  company  having  a 
solid  yet  understandable  data  security  policy 
and  procedure  program,”  says  Data  Security 
Auditors’  Hughes.  “You  know,  making  sure 
everybody  knows  what’s  OK  and  what’s  not 
OK.” 

Just  as  important  as  creating  a  policy,  says 
Razorpoint’s  Morse,  is  making  sure  that  the 
policy  is  uniform  across  all  company  locations. 
An  organization  that  lacks  consistency  in  its 
policy  is  vulnerable  to  social  engineering 
attacks,  for  example,  where  a  hacker  can  gain 
access  to  data  or  passwords  by  calling  an 
employee  and  pretending  to  be  from  another 
location  within  the  company.  “In  a  word,  peo¬ 
ple  have  to  verify,”  Morse  says.  “They  have  to 
be  able  to  say,  Who  is  that  person,  and  how  do 
I  know?” 

The  tricky  part  lies  in  massaging  a  policy  so 
that  it  protects  valuable  data  while  allowing 
users  the  flexibility  they  need  to  do  their  job. 
Providence  Health  Plans’  Apgar  tells  of  an 
incident  at  his  company  when,  upon  discov¬ 
ering  that  Providence  shared  some  systems 
with  another  health-care  company,  Provi¬ 
dence  had  to  put  controls  in  place.  The  prob¬ 
lem  was  the  systems  had  little  capability  to 
limit  access,  so  Apgar  needed  to  do  it  without 
cutting  off  his  own  users  from  information 
they  needed.  “Data  security  got  in  the  way  of 
itself,”  he  says.  “Instead  of  the  security  people 


saying,  Maybe  we  should  look  at  this  and  see 
if  we  can  live  with  it,  they  said,  Oh,  the  attor¬ 
ney  said  to  do  it,  so  we’ll  have  to  turn  it  off.” 
After  careful  consideration  and  some  heated 
discussions,  Apgar ’s  group  made  the  decision 
to  build  new  controls  into  the  system  at  min¬ 
imal  cost,  which  ended  up  working  to  every¬ 
one’s  satisfaction.  CSOs  must  first  take  the 
time  to  understand  the  business  and  users’ 
needs  before  setting  limits. 

In  addition,  Hughes  points  out,  it’s  critical 
to  look  at  business  partners  outside  your  own 
firewall  with  whom  you  might  be  sharing 
information  and  address  potential  vulnera¬ 
bilities  in  the  security  policy.  “If  you’re  in  man¬ 
ufacturing  and  you’re  sharing  proprietary 
information  with  the  vendors  helping  you 
build,  you  might  be  secure,  but  how  secure 
are  your  vendors?”  he  asks.  A  solid  security 
policy  covers  all  those  bases. 

Step  Two:  Sell  the  Policy 

It’s  no  secret  that  those  who  are  well  suited  to 
create  a  security  policy  are  not  always  the  most 
adept  at  getting  its  message  across.  “Security 
professionals  don’t  always  make  the  best  com¬ 
municators,”  admits  Stacy  Bresler,  senior 
information  security  principal  at  Pacificorp,  a 
subsidiary  of  ScottishPower.  When  Bresler 
and  his  team  implemented  a  new  security 
awareness  program  for  Pacificorp’s  users,  a 
group  from  corporate  communications  helped 
prepare  the  presentation  material  that  was 
handed  out  to  employees  during  awareness 
training  sessions.  “Good  experts  have  a  way  of 
understanding  and  spreading  that  under- 


If  you  trust  people  to  be  honest  and 
professional,  90  percent  will  be.  If  you 
expect  the  opposite,  that  becomes  a 

self-fulfilling  prophecy. 

-CHRIS  APGAR,  DATA  SECURITY  AND  HIPAA  COMPLIANCE  OFFICER 
FOR  PROVIDENCE  HEALTH  PLANS 


46  www.csoonline.com  January  2003 


Are  your 
users’ 
passwords 

a  joke? 


People  use  the 
“password  on  a 
sticky  note”  as 
an  example  of  weak  secu¬ 
rity  practices  so  often  that 
the  image  has  become 
almost  a  parody  of  itself. 
But  experts  say  such  bla¬ 
tant  disregard  for  company 
security  is  not  unusual. 
Written  passwords  stored 
next  to  a  computer  is  one 
of  the  most  common  ways 
outsiders  gain  access  to  a 
company’s  information, 
according  to  Razorpoint 
Security  Technologies 
President  Gary  Morse.  In 
addition,  users  are  often 
quick  to  share  IDs  and 
passwords  to  allow  others 
access  into  their  files.  “It’s 
a  poor  practice,  and  it  hap¬ 
pens  in  almost  every  busi¬ 
ness  unit  I’ve  ever  seen,” 
says  Stacy  Bresler,  senior 
information  security  princi¬ 


pal  at  Pacificorp,  a  sub¬ 
sidiary  of  ScottishPower. 
Thomas  Luce,  an  inde¬ 
pendent  security  consult¬ 
ant,  recalls  a  security  audit 
he  performed  for  a  doc¬ 
tor’s  office  in  which  the 
whole  office  shared  a  sim¬ 
ple  user  name  and  pass¬ 
word  that  a  third-grader 
could  have  guessed. 

According  to  Morse,  any 
word  that  appears  in  a  dic¬ 
tionary  is  easy  fodder  for  a 
hacker  with  the  right  com¬ 
puter  program;  programs 
can  run  through  colossal 
lists  of  words  in  mere  sec¬ 
onds.  To  guard  against 
such  attacks,  he  suggests 
that  CSOs  share  these  tips 
with  users: 

1.  Take  a  common  word 
and  substitute  one  letter 
with  a  number  or  symbol. 
Or  alternate  consonants 
with  vowels  to  create  a 


word— like  cacama— that 
isn’t  in  the  dictionary. 

2.  Create  a  password 
you  will  remember  without 
writing  it  down. 

3.  If  you  have  to  share 
your  password  for  any  rea¬ 
son,  change  it  immedi¬ 
ately. 

4.  Understand  the  par¬ 
ticularities  of  the  system 
your  company  uses— some 
programs  are  case-sensi¬ 
tive,  but  others  are  not.  For 
those  that  are,  consider 
alternating  uppercase  and 
lowercase  letters. 

5.  Never  use  personal 
information  that  can  be 
guessed  easily:  your  or 
your  spouse’s  name,  your 
children’s  names,  your 
birthday. 

6.  Never  use  the  word 
password.  (Don't  laugh. 
People  do  it  all  the  time.) 

-M.M.M. 


standing,”  he  says.  In  addition,  Pacificorp ’s 
security  team  hired  professional  actors  to  play 
out  the  message  in  a  video.  Eveiy  employee 
was  required  to  either  attend  a  security  pres¬ 
entation  or  watch  the  video. 

Security,  except  to  a  select  few,  is  about  as 
exciting  as  watching  the  grass  grow.. .in  the 
desert.. .during  a  heat  wave.  “I  think  you  have 
to  be  a  certain  person  to  care  about  security,” 
says  Bresler. 

Independent  security  consultant  Luce 
agrees:  “Security  is  a  boring  topic  to  most  peo¬ 
ple.  So  you  have  to  put  stuff  in  to  counter  that 
and  get  people’s  attention.”  His  suggestion: 
Make  it  fun.  When  he  worked  for  RHI,  he 
introduced  an  in-house  security  training  plan 
with  a  kick-off  party.  On  occasion,  he  would 
also  run  tests  to  see  who  could  catch  potential 
security  breaches.  Those  who  discovered  them 
were  rewarded  with  gift  certificates  for  dinner 
or  points  toward  a  bonus  vacation  day. 


At  Providence  Health  Plans,  Apgar  strives 
to  take  a  positive  approach  to  get  his  users’ 
attention  focused  on  security  procedures. 
“Instead  of  saying,  You  have  all  this  stuff  you 
need  to  do,  we  say,  We  do  80  percent  of  this 
already,  and  we  just  need  to  do  it  better.”  And, 
he  insists,  trust  is  a  key  ingredient  to  a  secure 
organization.  “If  you  trust  people  to  be  honest 
and  professional,  90  percent  will  be,”  he  says. 
“If  you  expect  the  opposite,  that  becomes  a 
self-fulfilling  prophecy.” 

Since  security  is  not  top  of  mind  for  the 
typical  user,  security  executives  must  also 
emphasize  the  rules  stated  in  the  policy  regu¬ 
larly.  “It’s  an  educational  process,  and  it’s 
repetitive,”  says  Luce.  This  repetition  becomes 
particularly  important  when  the  company’s 
policies  change.  “Once  everyone  is  trained, 
you  have  to  have  everyone  sign  off  on  [the 
policy]  every  year,”  says  Hughes.  “Give  them 
an  updated  version,  educate  them  on  what 


the  changes  are,  and  have  them  sign  some¬ 
thing  saying  they  agree  to  comply.” 

Any  method  will  work— as  long  as  the  edu¬ 
cation  takes  place.  For  example,  a  security 
officer  at  a  large  food  manufacturer  says  his 
department  publishes  frequent  security  bul¬ 
letins  with  reminders  about  keeping  pass¬ 
words  safe  and  cleaning  sensitive  data  off 
machines.  The  company  then  distributes  hard 
copies  to  everyone  because  employees  are 
more  likely  to  read  paper  than  they  are  to  read 
e-mails,  he  says.  At  Providence  Health  Plans, 
Apgar  varies  his  approach.  “We  do  training 
periodically,"  he  says.  “We  keep  the  lines  open, 
combining  a  number  of  different  approaches, 
from  formal  training  to  an  informational  stop 
in  the  hall.  We’re  taking  it  a  little  bit  at  a  time.” 
At  Pacificorp,  Bresler  and  his  team  conduct 
walk-throughs  at  individual  desktops,  per¬ 
forming  surprise  audits  and  reminding  users 
of  the  rules. 


January  2003  www.csoonline.com  47 


Employee  Education 


Step  Three: 

Enforce  the  Policy 

While  a  company’s  security  team  is  ultimately 
responsible  for  generating  security  policies, 
some  of  the  onus  for  enforcing  them  should  fall 
on  department  managers.  In  the  health-care 
industry,  for  example,  Apgar  has  learned  that 
good  security  means  performing  a  balancing 
act  between  giving  people  enough  informa¬ 
tion  to  do  their  job  and  keeping  privacy  intact. 
One  of  the  keys  to  that,  he  says,  is  keeping  the 
lines  of  communication  open  with  department 
heads  so  that  if  breaches  occur,  management 
can  play  a  role  in  repairing  them. 

When  Apgar  learned  that  users  in  his 
organization  had  broken  two  of  the  cardinal 
rules  of  health-care  security— don’t  fax  screen 
prints  from  claims,  and  don’t  use  the  system 
to  look  up  your  own  information— he  went  to 
the  appropriate  department  managers  and 
helped  them  decide  how  to  educate  their  staff. 
Pacificorp’s  Bresler  follows  the  same  advice. 
He  and  his  security  colleagues  expect  middle 
management  to  accept  the  bulk  of  responsi¬ 
bility  for  enforcing  security  policies.  “In  an 
organization  of  our  size  [8,000  users],  we’re 
not  going  to  micromanage  down  to  the  end 
users,”  he  adds. 

Bresler  says  that  managers  should  also  be 
responsible  for  enforcing  the  rules  related  to 
wireless  security.  “Business  managers  want 
their  users  to  be  productive  but  don’t  consider 
the  risks  associated  with  that,”  he  says.  For 
one  thing,  Bresler  says,  it’s  rare  for  business 
managers  to  communicate  to  users  the  dan¬ 
gers  of  connecting  a  laptop  holding  sensitive 
data  to  a  hotel  LAN.  “Wireless  is  convenient, 
cheap  and  handy,”  adds  Morse.  “Unfortu¬ 
nately  people  want  the  quick  fix,  and  they  take 
it  out  of  the  box  and  they  go  through  the  quick 
start  guide.  They  don’t  turn  on  access  pass¬ 
words  or  the  encryption.”  It’s  possible  to  make 
wireless  devices  much  more  secure,  he  says, 
but  it  involves  some  extra  work  on  the  part  of 
the  users. 

Delegating  accountability  to  your  users  is 
also  key  to  a  security  policy’s  success.  If  “it 
will  never  happen  here”  takes  first  place  as 
the  CSO’s  least  favorite  sentiment,  “a  security 
breach  won’t  really  affect  me”  comes  in  a  close 
second.  “A  lot  of  people  don’t  understand  the 
implications  of  what  the  information  could 
do  outside  of  their  hands,”  says  Luce.  Once 


users  comprehend  the  importance  of  the  data 
they  safeguard,  they  should  know  that  failure 
to  comply  with  security  policies  could  mean  a 
big  fat  black  mark  on  their  record.  After  all, 
most  users  are  more  interested  in  their  per¬ 
sonal  interests  than  those  of  the  company.  If 
users  know  that  their  personal  well-being  is  at 
risk,  they  will  start  to  think  about  corporate 
security  in  a  whole  new  light. 

“Some  companies  have  updated  their  pack¬ 
ets,  and  there  are  whole  sections  saying,  ‘You 
will  maintain  proper  passwords  or  you’ll  be 


Who  Loves  Ya,  Baby? 

Or  at  the  very  least,  who  promises  to 
honor  and  obey  your  security  policies? 


MANAGEMENT 
I.T.  DEPT. 
SECURITY  DEPT. 
OTHER  EMPLOYEES 
OUTSIDE  VENDORS,  ETC. 


Percentage  of  employee  groups  deemed  “extremely  or 
very  compliant”  with  their  company’s  security  practices 
from  an  exclusive  CSO  magazine  survey  of  797  security 
executives.  For  more  details  on  this  survey,  check  out 
www.csoonline.  com/csoresearch. 


fired,  or  liable,  or  both,”’  says  Razorpoint’s 
Morse.  Pacificorp’s  Bresler  thinks  a  “three 
strikes  and  you’re  out”  policy  is  ideal. 

To  that  end,  security  experts  say,  it’s  criti¬ 
cal  to  work  closely  with  the  human  resources 
department.  Forging  a  strong  link  can  build 
valuable  and  necessary  support,  says  Hughes, 
and  will  guarantee  follow-through  if  breaches 
occur.  “IT  and  HR  must  work  in  concert  with 
the  COO  or  GM  to  make  sure  people  under¬ 
stand  these  policies  and  procedures,”  says 
Hughes  of  Data  Security  Auditors.  “Have  a 
luncheon  or  seminar  or  a  new-employee  ori¬ 
entation  where  the  security  policy  is  part  of  it. 
Have  employees  sign  it,  and  make  sure  they 
know  they’re  accountable.  If  they  do  some¬ 
thing  that  costs  the  company  money,  that’s 
grounds  for  termination.” 

Just  as  important  as  preaching  accounta¬ 
bility  is  practicing  it.  Luce  notes  that  even 


when  companies  write  such  accountability 
into  their  policies,  a  lot  of  users  don’t  pay 
attention.  Senior  management,  he  says,  is 
prone  to  letting  offenses  slide.  He  recalls  per¬ 
forming  security  audits  at  organizations  with 
supposedly  zero-tolerance  policies  that  looked 
the  other  way  when  security  breaches  hap¬ 
pened  by  accident.  That,  he  says,  is  asking  for 
trouble.  “Human  nature  says  you’ll  get  away 
with  whatever  the  minimal  amount  of  work 
is,”  says  Luce.  “If  you  don’t  put  something  in 
place  to  force  users  to  use  real  passwords,  then 
they  won’t.” 

Scare  tactics  are  a  controversial  way  to 
guarantee  compliance.  Luce  is  an  admitted 
fan  of  using  horror  stories  when  he  conducts 
audits.  “I  do  quite  often  use  scare  tactics,  usu¬ 
ally  with  a  newspaper  article  about  a  lawsuit. 
That  does  a  really  good  job  on  presidents  and 
CEOs,”  he  says.  Apgar  of  Providence  Health 
Plans  also  uses  such  a  strategy,  but  cautions 
against  relying  on  it  too  often.  “I  use  horror 
stories  judiciously,”  he  says.  He  worries  that 
too  many  tales  of  security  gone  wrong  could 
turn  him  into  Chicken  Little.  But  he  says  he’s 
not  averse  to  telling  senior  management  sto¬ 
ries  that  hit  close  to  home,  like  breaches  that 
have  happened  in  their  own  industry. 

Bresler  adds  that  he  prefers  to  sanitize  the 
story  of  something  that  actually  happened  to 
Pacificorp  and  make  it  public.  “These  things 
do  happen  and  have  resulted  in  dismissals,”  he 
says.  Users  who  hear  “this  could  happen  to 
you”  stories  are  more  likely  to  take  security 
policies  seriously. 

In  the  end,  technology  can  do  a  lot  to  pro¬ 
tect  precious  corporate  assets,  but  it  can  go 
only  so  far.  The  rest  is  up  to  the  users.  ‘You  can 
have  a  really  nice  garage,  but  if  there’s  no  door 
on  it,  it’s  wide  open  for  a  car  thief,”  says 
Hughes.  The  harder  the  CSO  works  to  make 
users  the  responsible  stewards  of  corporate 
data,  the  safer  a  company  will  ultimately  be.  ■ 

Meg  Mitchell  Moore  is  a  freelance  writer  in  Marblehead, 
Mass.  Send  comments  to  csoletters@cxo.com. 


Prevent  your  employees  from  accidentally  or 
purposefully  compromising  your  company’s 
security.  Read  “Danger  Within— Protecting  Your 
Company  from  Internal  Security  Attacks,"  a 
CSOonline  ANALYST  REPORT  from  Gartner. 

Go  to  www.csoonline.com/printlinks. 


48  www.csoonline.com  January  2003 


•  CISSP®  In  7  Days 

•  Check  Point  In  6  Days 

•  Security+/TICSA  In  6  Days 

•  Advanced  Forensics  In  3  Days 

•  Professional  Hacking  In  7  Days 

•  SANS  Gold  Standard  Mentor-led  Training 


INTENSE 


POWf'Ull 

ft  Tran*  & 


•  CCSP®  Cisco  Certified  Security  Professional  In  12  Days 

800-330-1  446  WWW.INTENSESCHOOL.COM 

LOCATIONS  IN  FT.  LAUDERDALE,  FL  |  NEW  YORK  METRO  |  COLUMBUS,  OH  |  SAN  DIEGO  CA  (  WASHINGTON.  DC  METRO 


INFORMATIONTECHNOLOGY 

SECURITY  BOOT  CAMPS 


CLEARED  FOR 


James  Loy,  head  of  the  U.S.  Transportation  Security 
Administration,  is  confident  that  he  can  safeguard 
the  airlines  and  their  passengers,  now  that  Congress 
lias  said  he  can  unpack  t  .arm  i  i >  S(  ai  f  i 


Judging  by  the  number  of  cardboard  boxes 

in  Adm.  James  Loy’s  office  at  the  U.S.  Transportation  Security  Administration  (TSA) 
last  autumn,  Loy  might  have  just  finished  packing  or  been  just  about  to  unpack. 
The  truth  is,  from  July  to  November,  he  was  in  a  holding  pattern.  His  office,  in 
Washington,  D.C.,  was  temporary— and  not  just  because  it  was  hastily  constructed 
from  prefab  walls  after  the  post-9/11  flurry  of  legislation  to  Fix  Things. 

Loy  was  waiting  for  official  word  from  Congress  that  would  allow  him  to  drop 
the  “acting”  from  his  title  of  undersecretary  of  transportation  for  security.  Only 
when  his  confirmation  came  through,  right  before  Thanksgiving,  could  he  unpack 
the  boxes  in  an  empty  office  across  the  hall  that  has  real  walls.  Even  then,  no  one 
knew  how  long  he’d  last  in  the  office  vacated  by  John  Magaw,  who  was  ousted  seven 
months  after  being  brought  in  to  help  build  TSA  from  scratch. 

Magaw  left  in  July,  ostensibly  for  health  reasons,  but  really  because  Secretary 
of  Transportation  Norman  Mineta  thought  the  former  Secret  Service  head  didn’t 
play  well  with  politicians  or  the  airline  industry.  “Magaw  wasn’t  the  right  guy  for 
the  job,  and  that’s  putting  it  nicely,”  says  Billie  Vincent,  former  director  of 
security  for  the  Federal  Aviation  Administration  turned  consultant.  “Is  Loy  the  right 
guy?  We  don’t  know  yet." 

What  CSO-types  in  the  airline  industry  do  know  now  is  that  TSA  is  listening 
to  them.  Loy’s  staff  meets  regularly  with  officials  from  the  major  airlines  about 


IN  THIS  STORY: 

How  to  fight  budget 
and  time  constraints 
and  public  scrutiny  to 
secure  your  business 
■  Why  buy  in.  lobby 
ing  and  an  act  of  Con 
gress  are  needed  to 
get  a  security  chief  s 
job  done 


www  csoonline  com  January  ? 003 


PHOTOGRAPHY  BY  DRAKE  SOREY 


National  Transportation 


how  to  prevent  another  9/11  without  crip¬ 
pling  an  industry  that,  according  to  the  Air 
Transport  Association  of  America,  lost  more 
than  $7  billion  in  2002. 

Loy’s  work  thus  far  has  had  mixed  results. 
Even  as  he  was  celebrating  the  fact  that  his 
organization  met  its  deadline  to  replace  pri¬ 
vate  security  guards  at  airport  checkpoints 
with  45,000  better-trained  federal  ones,  he 
had  to  face  the  fact  that  about  30  of  the 
nation’s  busiest  airports  would  not  have  per¬ 
manent  systems  in  place  to  screen  all 
checked  baggage  for  explosives. 

Nowhere  is  the  age-old  struggle  between 
convenience  and  security  more  pronounced 
than  in  the  battle  to  secure  the  nation’s 
skies.  Loy,  who  retired  as  commandant  of 
the  Coast  Guard  the  same  day  he  was 
tapped  for  TSA,  seems  older  and  wiser  than 
his  60  years.  But  he’s  still  optimistic  that  he 
can  strike  the  balance  necessary  to  keep  the 
nation’s  air  travelers— and  the  industry  that 
serves  them— both  safe  and  satisfied. 

CSO  Senior  Writer  Sarah  D.  Scalet  re¬ 
cently  spoke  with  Loy  about  that  challenge. 


CSO:  I  used  to  go  to  a  copy  shop  with  a  sign 
that  said,  “Fast,  cheap  and  good— pick  two.” 

It  seems  a  little  like  the  trade-off  for  airline 
security:  convenience  at  the  gate  versus  cost 
versus  good  security.  How  do  you  achieve  a 
balance? 

James  Loy:  If  you  think  about  the  post-9/11 
security  world  that  we’re  living  in,  we’re 
attempting  to  come  to  grips  with  what  I’ve 
termed  the  “new  normalcy.”  We’ve  been  liv¬ 
ing  under  the  yellow  Homeland  Security 
alert  level  for  months  now.  [Mineta’s]  chal¬ 
lenge  in  the  face  of  that  new  normalcy  is  to 
achieve  world-class  customer  security  and 
world-class  customer  service.  It  is  a  balance 
of  twro,  at  least  for  the  moment,  equally 
weighted  goals. 

TSA  is  focused  for  the  moment  on  avia¬ 
tion  security  and  airports  because  of  the  way 
the  ATSA  [the  Aviation  and  Transportation 
Security  Act,  which  called  for  the  creation  of 
TSA]  was  written,  but  eventually  we  want 
the  national  transportation  system  writ 
large  to  be  the  benefactor  of  a  higher  secu¬ 
rity'  profile.  We  can  provide  that  in  a  variety 
of  ways.  We  can  make  it  so  stifling  that  we 
eliminate  commerce,  bring  commercial  avi¬ 


ation  to  its  knees  and  irritate  every  member 
of  the  American  public  who’s  going  through 
a  checkpoint.  Or  we  can  make  an  invest¬ 
ment  in  our  employees  such  that  they 
become  professional  enough  that  the  travel¬ 
ing  public  will  look  back  on  the  experience 
of  going  through  a  checkpoint  and  say,  They 
were  professional;  they  helped  me  through 
the  process;  they  told  me  why  I  had  to  take 
off  my  shoes;  and  they  said,  Have  a  nice 
flight.  Citizens  can  either  look  back  and  say, 


That’s  the  worst  thing  that  ever  happened  to 
me;  I’m  never  flying  again.  Or  they  can  say, 

I  am  delighted  to  be  the  subject  of  adequate 
security.  That’s  what  I  mean  by  the  balance. 

In  regard  to  the  hassle  factor  at  the  gate,  you 
think  it’s  not  a  matter  of  how  long  someone 
waits  in  line  at  the  gate  but  rather  the 
demeanor  of  the  person  she  encounters  when 
she  gets  to  the  front  of  it? 

It’s  both  of  those  things.  Unfortunately  we 


52  www.csoonline.com  January  2003 


;  / 


“Better 
security, 
almost  by 
definition, 
will  have  to 
cost  money. 
It’s  a  matter 
of  who 
pays.” 

-JAMES  LOY 


have  at  the  moment  a  hassle-factor 
environment.  I  am  methodically  trying  to 
get  rid  of  it  one  step  at  a  time,  but  we  do  not 
want  to  get  rid  of  it  if  the  only  way  to  do  so 
is  to  lower  the  security  profile.  I  have  no 
idea  what  the  index  is,  but  let’s  say  we’ve 
gained  from  a  2  to  an  8  on  a  10-point  scale 
in  security.  In  order  for  me  to  increase 
customer  service  and  customer  satisfaction, 
I  am  not  willing  to  take  the  8  back  down 
to  a  5. 


Are  those  steps  the  items  on  your  “stupid 
rule”  list  that  I’ve  read  about? 

The  stupid  rule  list  is  [Deputy  Secretary  of 
Transportation  Michael]  Jackson’s  name  for 
it,  but  I  guess  I  will  own  it.  For  example,  the 
two-question  rule  [“Has  anyone  unknown 
to  you  asked  you  to  carry  an  item  on  this 
flight?”  and  “Have  any  of  the  items  you  are 
traveling  with  been  out  of  your  immediate 
control  since  you  packed  them?”]  was 
around  for  16  years.  Doing  away  with  it  was 
a  matter  of  bringing  it  onto  the  table  and 
saying,  very  objectively,  what  does  this  add 
to  the  security  experience?  If  the  answer  is 
nothing,  then  we  should  do  away  with  it. 

How  do  you  define  the  difference  between 
safety  and  security? 

In  the  old  days  it  was  a  blur— 9/11  clarified 
it.  Safety  is  all  about  the  equipment  on 
board,  the  training  of  the  pilots,  the  effec¬ 
tiveness  of  the  flight  attendants,  whether  the 
wing  is  going  to  fall  off,  if  the  rudder  does 
what  it’s  supposed  to  do.  All  those  things 
remain  the  responsibility  of  the  Federal  Avi¬ 
ation  Administration.  The  security  piece  is 
focused  on  how  transportation  security  fits 
inside  Homeland  Security,  which  fits  inside 
national  security. 

The  airline  industry  is  under  financial  strain, 
but  people  in  the  industry  have  said  you’re 
more  in  tune  with  their  needs  than  your  pre¬ 
decessor.  How  do  you  balance  your  relation¬ 
ship  with  them  with  the  fact  that  better 
security  will  cost  money? 

There  are  many  stakeholders  in  the  aviation 
system— some  are  commercial,  some  are 
passenger,  some  are  cargo,  some  are  charter, 
some  are  general  aviation  aircraft.  If  I’m 
doing  my  job  right,  I  will  have  inculcated  in 
my  staff  the  value  of  reaching  to  the 
impacted  players  in  the  industry  when  we 
are  in  the  midst  of  developing  policies— not 
to  closet  ourselves  up  into  a  little  bunch  of 
federal  bureaucrats  and  hope  we  get  it  right. 
Better  security,  almost  by  definition,  will 
have  to  cost  money.  It’s  a  matter  of  who 
pays.  The  federal  government  is  certainly 
going  to  make  a  huge  contribution  in  that 
regard  by  way  of  appropriations  from  Con¬ 
gress.  This  organization  is  into  its  10  bil¬ 
lionth  dollar  investment  from  Congress. 


At  the  same  time,  Congress  recently  left  a  cap 
on  the  number  of  employees  you  could  hire. 

That’s  a  whole  other  story.  To  whatever  de¬ 
gree  the  airline  industry  is  in  the  financial 
straits  that  it  claims,  certainly  very  vocally 
and  avidly,  there’s  a  lot  of  things  that  can  be 
paid  for  by  others.  Already,  the  flying  pas¬ 
senger  is  paying  the  bill,  and  the  taxpayer  is 
paying  it  through  a  different  channel,  in 
appropriations  to  TSA  and  other  agencies. 
The  “who  pays”  issue  is  foggy,  and  it  is  enor¬ 
mously  important  to  us  because  we’re  doing 
things  that  Congress  directed  us  to  do. 

How  do  you  handle  not  having  enough  staff? 

There  were  some  unfortunate  numbers  used 
early  on  to  suggest  that  the  third-party  con¬ 
tract  screeners  hired  by  the  airlines  prior  to 
the  establishing  of  TSA— somewhere 
between  20,000  and  30,000  screeners— 
represented  the  entire  screener  population. 
The  reality  was,  that  number  may  have  been 
the  employees  of  third-party  screeners,  but 
it  belies  the  contributions  being  made  by 
airlines  and  other  oversight  associated  with 
the  screeners.  It  did  not  include  gate  screen¬ 
ers.  It  also  included  almost  zero  baggage 
screeners,  which  were  not  part  of  the  scene 
before  9/H-  When  you  add  it  all  up,  that’s 
where  we  come  down  on  numbers  as  high  as 
33,000  at  checkpoints  and  22,000  baggage 
screeners  for  a  total  of  55,000.  There’s  still 
much  at  play  there.  Congress  voted  the 
45,000  cap  on  the  organization,  but  there 
was  little  clarity  as  far  as  what  the  definition 
was  or  should  be.  We  may  very  well  be  able 
to  live  with  45,000  full-time  screeners,  if  the 
rest  of  the  organization  was  exempt  from 
that  definition.  And  we  have  part-time  and 
temporary  hires  who  don’t  count  against  the 
permanent  full-time  cap. 

You  were  against  the  issue  of  arming  pilots.  A 
lot  of  our  readers  must  secure  programs  they 
feel  are  inherently  insecure.  What  safeguards 
will  you  implement  so  that  you’re  more  com¬ 
fortable  with  it? 

I  just  found  it  difficult  to  champion  the  idea 
of  introducing  weapons  into  an  environ¬ 
ment  that  we’ve  gone  to  great  pain  to  keep 
clean,  with  the  exception  of  federal  air  mar¬ 
shals.  Having  said  that,  I  can  also  read  the 
tea  leaves,  and  the  tea  leaves  are  pretty  bold 


January  2003  www.csoonline.com  53 


Cebrail  Tunga 

Missing  Since  8/23/99 


Alexandra  Heaslet 

Missing  Since  12/12/00 


Jacquilla  Scales 

Missing  Since  9/5/01 


Adam  Shannon 

Missing  Since  8/22/01 


Amy  McLaughlin 

Missing  Since  8/27/01 


Cameron  Bland 

Missing  Since  5/18/00 


Andrea  Reyes 

Missing  Since  10/5/99 


Ethan  Hernandez 

Missing  Since  7/16/00 


Jennifer  Hands 

Missing  Since  12/27/97 


Computer  Associates™ 


NATIONAL 

CENTER  FOR  E-  iSN 

MISSING  & 
EXPLOITED 

.CHILDREN 

www.missingkids.com 

PICTURE  THEM  HOME. 


Fernando  Robnett 

Missing  Since  1/10/00 


Shelby  Cannon 

Missing  Since  12/8/98 


Ptah  Diamond 

Missing  Since  5/27/01 


Joshua  Bryant 

Missing  Since  5/12/01 


Jonathan  Mora 

Missing  Since  10/1/98 


Reuben  Blackwell 

Missing  Since  5/6/96 


Jacquelin  Randhawa 

Missing  Since  7/25/00 


Daniela  Salgado 

Missing  Since  12/22/00 


Shawna  Nowaczyk 

Missing  Since  10/11/00 


12,343,367 

PEOPLE  WILL  SEE  THIS  AD. 

IF  EVEN  ONE  OF  THEM  DOES  SOMETHING, 

IT  WILL  BE  A  SUCCESS. 

Just  one  person.  Who  remembers  one  face.  And  makes  one  phone 
call.  That’s  all  it  takes  to  help  find  missing  children  and  bring  them 
home.  Call  1-800-THE  LOST  or  go  to  our  website,  missingkids.com, 
generously  provided  by  Computer  Associates.  Look  at  the  children. 
Remember  the  faces.  And  help  just  one  child  get  home  today. 


©2002  Computer  Associates  International,  Inc.  (CA).  All  trademarks,  trade  names,  service  marks,  and  logos  referenced  herein  belong  to  their  respective  companies. 


National  Transportation 


“My  goal  as  part  of  the  customer  service  hassle-factor 
reduction  would  be  to  eliminate  gate  screening.”  . 


with  Congress  in  favor  of  arming  pilots  by 
87-6  on  the  Senate  side  and  3-1  on  the 
House  side.  My  effort  will  be  to  make  the 
process  as  methodical  as  possible. 

As  far  as  the  trusted  or  “registered”  traveler 
program,  people  say  it  favors  convenience 
over  security.  How  will  you  ensure  that  terror¬ 
ists  don't  infiltrate  that  system? 

The  secret  is  the  background  investigation 
process  that  we  would  require  of  anyone  who 
would  end  up  a  registered  traveler.  It  would 
not  be  based  on,  “I  promise  never  to  bring  a 
weapon  on  board  an  airplane.”  It’d  be  based 
on  a  background  investigation  and  a  finger¬ 
print  check  against  criminal  histoiy  files. 

Do  you  think  there’s  too  much  concern  about 
political  correctness  as  far  as  profiling? 

I  have  used  the  “P”  word.  I  think  it  is  appro¬ 
priate  for  us  to  examine  behavior  patterns 
like  those  that  offered  a  chance  for  19  terror¬ 
ists  to  commandeer  four  commercial  jet¬ 
liners.  There’s  profiling  with  a  big  “P,”  which 
is  the  American  instinct  against  gender- 
based,  ethnic-based,  racial-based  kinds  of 
profiling,  and  obviously  we  don’t  want  to  go 
there.  On  the  other  hand,  there’s  profiling 
with  a  small  “p,”  which  is  about  potentially 
understanding  behavior  patterns  and  acting 
on  them  in  the  interest  of  security  for  the 
nation.  I  would  be  equally  remiss  if  we 
didn’t  find  better  ways  to  do  that. 

What’s  the  status  of  the  CAPS  [computer- 
assisted  passenger  prescreening]  program? 

CAPS  1,  which  we  inherited,  is  the  only  game 
in  town.  It’s  being  used  at  the  moment,  but  it 
is  providing  less  than  adequate  security  serv¬ 
ices.  As  soon  as  you  know  the  rules,  you  can 
find  a  way  around  them.  We  want  CAPS  2  to 
to  be  a  system  that  is  going  to  do  two  things. 
First,  we  want  it  to  be  much  better  at  the 
identification  business.  Today,  in  CAPS  1, 
wiien  I  buy  a  ticket  it  says  “Loy,  J.”,  all  I  need 
to  do  is  show  a  photo  ID,  which  I  could  have 
bought  at  Battery  Park  right  after  I  bought  a 


watch.  There  are  law  enforcement  standards 
associated  with  identification  that  we  need  to 
incorporate.  And  those  have  to  be  bounced 
off  a  list  of  people  whose  names  we  have  con¬ 
cerns  about.  It’s  looking  not  at,  did  you  buy  a 
one-way  ticket  this  morning,  but  rather,  do 
you  have  a  criminal  history?  We’ve  worked 
hard  as  a  country  to  build  a  terrorist  tracking 
task  force  in  the  Department  of  Justice, 
which  I’m  sure  must  have  a  database  that  we 
should  be  using. 

CAPS  2  has  to  incorporate  the  ability  to 
do  those  kinds  of  things  and  down  the  road 
add  applications  that  might  enhance  our 
ability  to  do  more  thoughtful  things.  For 
example,  there’s  some  excellent  software 
that  we’re  looking  at  that  is  about  name 
identification.  Mohammed  has,  for  example, 
many  interpretations  of  spelling  around  the 
world.  A  software  program  could  help  us 
determine  whether  or  not  the  right 
Mohammed  is  the  guy  standing  in  front  of 
us.  And  that  all  has  to  be  focused  on  a  sys¬ 
tem  that  enables  an  almost  instant  turn¬ 
around  query  so  that  even  a  walk-up  person 
buying  a  ticket  at  the  terminal  can  be 
queried  against  the  CAPS  system. 

Can  you  prevent  someone  from  getting  on  a 
plane  who  hasn’t  actually  broken  the  law? 

I  have  to  be  careful  here  because  this  is  clas¬ 
sified  stuff,  but  it’s  a  matter  of,  what  are  the 
deliverable  outcomes  and  what’s  the  label¬ 
ing  process?  If  you  worry  about  profiling  up 
front,  you  worry  about  labeling.  There’s  a 
category  of  folks  who  deserve  more  scrutiny. 
If  we  find  someone,  when  we  check  against 
the  FBI  database,  who’s  wanted  for  murder 
in  12  states,  we  ought  to  keep  him  from 
boarding  the  aircraft.  The  point  is  that 
CAPS  2  will  be  a  quantum  level  better  in 
security  and  customer  service.  If  we  have  it 
in  place,  and  we  re-sequence  the  events  that 
actually  occurred  at  an  airport,  we  can  prob¬ 
ably  get  rid  of  gate  screening— the  second¬ 
ary  screening  that  occurs  just  before  you 
board  the  aircraft.  My  goal  as  part  of  the 


customer  service  hassle-factor  reduction 
would  be  to  eliminate  gate  screening. 

What  do  you  think  of  news  reports  from  time 
to  time  where  someone  walks  through  a  secu¬ 
rity  gate  with  nonapproved  items? 

I’m  troubled  when  journalists  or  whoever 
else  break  the  law  consciously  to  test  the 
system.  That  in  and  of  itself  is  a  bother  to 
me.  The  inspector  general’s  office  has  a  very 
robust  self-testing  system  that  is  designed  to 
do  the  same  thing  in  an  environment  in 
which  we  can  take  the  appropriate  action. 
Which  is  to  say,  if  we  get  something 
through,  we  want  to  go  back  with  remedial 
training  instantly  for  the  screener  or  the 
screener’s  supervisor,  or  maybe  even  find 
that  the  performance  is  such  that  termina¬ 
tion  is  the  right  answer.  You  might  remem¬ 
ber  a  case  a  while  back  where  a  woman 
successfully  got  a  .357  Magnum  through  the 
checkpoint  process  in  Atlanta,  carried  it  all 
the  way  to  Philadelphia,  left  the  sanitized 
area,  came  back  through  the  checkpoint  and 
was  found  there.  When  we  tracked  that  one 
back  in  Atlanta— it  was  not  a  TSA  employee, 
by  the  way— we  isolated  the  screener,  who 
had  done  exactly  what  she  was  supposed  to 
do.  She  didn't  understand  what  she  saw  on 
the  screen  and  called  her  supervisor.  The 
supervisor  said,  “I  see  what  you  mean.”  He 
hand-checked  the  bag  and  didn’t  find  the 
weapon,  and  off  it  went  on  the  airplane.  The 
screener  is  still  working;  the  supervisor  is 
not.  The  notion  there  is  accountability. 

We  have  to  understand  that  it’s  a  system. 
It’s  not  the  screener’s  failure  by  definition.  It 
may  be  equipment  failure.  It  may  be  procedure 
failure.  It’s  the  way  those  things  work  together 
that  provides  the  security  we’re  after.  ■ 

Contact  Senior  Writer  Sarah  D.  Scalet  at  sscalet4cxo.com. 


For  more  on  protecting  people  inside  and  outside 
the  walls  of  your  organization,  visit  CSOonline’s 

THREATS  &  RECOVERY  RESEARCH  CENTER. 
Go  to  www.csoonline.com/threats. 


January  2003  www.csoonline.com  55 


r afosmtm 


'  r,  r  VT-t^Errj'  'wive  » ■ 


i %  SecureLogix 

f^r  CORPORATION 


ETM.  the  ETM  Emblem.  SecureLogix.  SecureLogix  Corporation  and  the  SecureLogix  Diamond  Emblem  are  trademarks  or  registered  trademarks  of  SecureLogix  Corporation  in  the  U.S.A.  and  other  countries 
©  Copyright  2002  SecureLogix  Corporation.  All  Rights  Reserved. 

U.S.  Patents  No.  US  6.249.575  Bl  and  US  6.320  948  Bl.  U.S.  and  Foreign  Patents  Pending. 


If  you  want  to  do  real  damage  to  a  business  or 
institution,Telecom  infrastructure  is  probably  a 
better  target  than  the  corporate  LAN  or  website.”  — 

Communications  Convergence 


“The  most  vulnerable  holes  in  enterprise  security: 
modem  connections.  Analysts  estimate  that  the  bulk 
of  damaging  hacks  on  corporate  networks  come  over 
modem  connections.”  —  PC  Week 


Data  networks,  while  protect* 
intrusion  detection  systems,  a 
the  public  telephone  network 
networks  remain  unprotectec 
unauthorized  traffic  and  infori 


theft. 


The  ETM®  System  protects  data  networ 
and  other  key  infrastructure  by  securing 
lines;  giving  centralized,  real-time  visibility 
voice  network  access  and  usage. 


You  ve  secured  part  of  your 
protect  the  rest. View  our  t 
www.securelogix.com/cso  c 


ENTERPRISE  TELEPHONY  MANAGEMENT 


TE1  l  WALL  I  El  I  AUDIT  TELEVIEW  III  VPN 


'in  1 1  a  liHvi'L ']  1 1  half-protected? 


Technologies,  Tools  and  Tactics 

Edited  by  Elaine  M.  Cummings 


OU’VE  READ  A  lot  about  the 
security  of  wireless  LANs— or  WLANs— during 
the  past  year.  With  the  plummeting  prices  of 
wireless  access  points  and  laptop  cards,  busi¬ 
nesses,  schools  and  home  users  have  all 
rushed  out  and  installed  low-cost  WLANs. 
Most  of  these  systems  are  easy  to  install,  and 
as  it  turns  out,  most  wireless  access  points 
have  their  access  control  disabled.  This  is 
great  for  useability:  If  you  can  receive  the 
radio  signal,  you  can  put  your  laptop  on  the 
network  without  setting  any  codes  or  enter¬ 
ing  any  encryption  keys. 

But  that  also  means  that  many  homes  and 
businesses  have  inadvertently  opened  their 


network  to  outsiders  because  radio  waves 
can  travel  through  walls,  out  onto  the  street 
and  even  into  your  neighbor’s  house.  And 
you  thought  the  British  Royal  Family  had 
problems. 

Because  of  those  WLAN  vulnerabilities, 
“war  driving”  has  become  a  popular  hacker 
pastime.  All  you  need  is  a  wireless  card,  a 
laptop,  a  global  positioning  system  receiver 
connected  to  your  laptop,  a  car  and  a  free 
afternoon.  Drive  around  town  with  a  copy 
of  NetStumbler  or  a  similar  program  run¬ 
ning,  and  your  computer  will  log  the  geo¬ 
graphical  position  of  any  WLAN  it  finds. 
When  you’re  done,  you  can  graph  the  results 


on  your  computer.  You  can  even  upload  the 
findings  to  one  of  the  national  databanks. 
Or,  if  you  feel  especially  motivated,  you  can 
get  out  of  your  car  and  mark  the  area  so  that 
other  nosy  strangers  can  find  it— a  kind  of 
hacker  public-service  ritual  known  as  war 
chalking. 

Although  war  driving  started  as  an  exer¬ 
cise  in  demonstrating  computer  security 
holes,  most  people  involved  these  days  have 
a  different  political  agenda.  They’re  inter¬ 
ested  in  using  WLANs  to  create  a  mesh  of 
free  wireless  Internet  service  throughout  our 
neighborhoods.  The  war  driving  maps  show 
where  coverage  is  good  and  where  new  cov- 


ILLUSTRATION  BY  ANASTASIA  VASILAKIS 


January  2003  www.csoonline.com  57 


On  the  Same  Wavelength 

Wireless  networks  are  all  the  rage.  But  do  you  know  how  to  protect  your 
data  trom  eavesdropping  hackers?  By  Simson  Garfinkel 


With  identity  theft  estimated  to  account  for  $239  bil¬ 
lion  in  annual  worldwide  losses,  it  would  follow  that 
the  strings  of  numbers  that  identify  us  are  valuable 
assets.  But  because  digital  devices  are  hostile,  they 
can’t  be  trusted  to  protect  users  from  ID  theft.  That, 
at  any  rate,  is  the  view  of  Winston  Keech,  president 
and  CTO  of  Swivel  Technologies.  Keech  finds  that 
most  authentication  schemes  don't  properly  account 
for  the  security  weaknesses  of  networked  devices. 
When  passwords  and  PINs  are  keyed  in  and  sent  over 
networks,  they  are  vulnerable  to  capture  in  a  variety 
of  ways:  network  sniffing,  keyboard  monitoring  or 
direct  observation  (also  known  as  “shoulder  surfing"). 
United  Kingdom-based  Swivel  (is  it  our  imagination, 
or  are  Brits  more  paranoid  than  Yanks?)  has  devel¬ 
oped  a  way  of  masking  four-digit  PINs  through  the 
use  of  randomly  generated  security  strings.  Instead 
of  keying  in  a  PIN  that  could  be  intercepted,  the  user 
enters  a  one-time  code  that  is  created  based  on  the 
sequential  position  of  the  digits  of  his  PIN  within  the 
random  10-digit  string  (see  diagram).  The  one-time 


Swivel  PIN 


Security  String  8 

One-Time  Code 
(OTC) 


4 


code  entered  by  the  user  is  correlated  to  his  PIN, 
providing  authentication  and  enabling  access. 

Keech  and  Swivel  see  their  algorithm-based 
system  as  either  a  low-cost  alternative  to  a  public- 
key  infrastructure  or  as  an  extra  layer  of  security  on 
top  of  it.  Because  the  system  requires  a  relatively  low 
investment,  large  populations  of  users  can  be  authen¬ 
ticated  easily  without  putting  their  PINs  at  risk.  The 
software  system  requires  no  special  hardware  and  lit¬ 
tle  overhead  on  the  client  device.  (The  random  secu¬ 
rity  string  can  be  delivered  to  a  PDA  or  cell  phone  in 
an  application  of  less  than  500  bytes.)  As  the  infra¬ 
structures  governing  all  types  of  access  converge, 
Keech  sees  no  reason  why  a  scheme  like  Swivel’s 
can’t  be  used  to  enable  entry  both  to  physical  spaces 
and  information  networks.  -Lew  McCreary 


erage  needs  to  be  added. 

I’m  all  in  favor  of  community  groups, 
businesses  and  individuals  teaming 
together  to  provide  free  high-speed  wire¬ 
less  Internet  access.  Indeed,  I  have 
opened  up  the  wireless  access  point  in  my 
own  house;  if  you  stand  in  my  driveway 
with  your  wireless-enabled  PDA,  you  can 
browse  the  Internet  using  my  connection 
without  even  knocking  on  the  door.  Like¬ 
wise,  I’ve  come  to  expect  that  high-speed 
Internet  access  will  be  available  at  con¬ 
ferences  that  I  attend— and  in  most  cases, 
it’s  both  easier  and  cheaper  for  confer¬ 
ence  organizers  to  set  up  a  single  wireless 
hub  than  to  set  up  an  Ethernet  switch 
and  string  a  lot  of  Category-5  cables. 

But  just  as  wireless  technology  has  cre¬ 
ated  security  problems  for  network 
administrators,  it  has  created  vulnera¬ 
bilities  for  mobile  users  as  well.  Ironi¬ 
cally,  these  insecurities  are  both  more 
severe  for  mobile  users  and  easier  to  over¬ 
come.  Most  of  the  press  coverage  regard¬ 
ing  WLAN’s  security  problems  has 
focused  on  the  weakness  of  the  encryp¬ 
tion  system  used  to  protect  access  points. 
Called  WEP— short  for  wireline  equiva¬ 
lent  privacy— the  system  assigns  an 
encryption  key  to  each  wireless  network. 
In  theory,  each  company  was  supposed  to 
make  up  its  own  encryption  key.  If  you 
didn’t  know  a  company’s  key,  you  were 
supposed  to  be  blocked  from  accessing 
that  company’s  network. 

As  things  turned  out,  the  whole  WEP 
approach  was  flawed  for  two  reasons.  The 
first  was  the  encryption  algorithm  and 
protocols  themselves.  Seems  the  math 
behind  WEP  wasn’t  very  good,  and  it  was 
fairly  easy  for  cryptographers  to  write 
programs  that  could  figure  out  the  WEP 
key  that  a  particular  access  point  was 
using.  Even  moving  to  a  stronger  encryp¬ 
tion  algorithm  didn’t  help  much  because 


the  underlying  cryptographic  protocols 
were  flawed. 

The  second  problem  with  WEP  is  sig¬ 
nificantly  more  embarrassing.  Most  peo¬ 
ple  don’t  even  turn  it  on  because  WEP  is 
somewhat  hard  to  configure.  To  use  the 
encryption,  you  need  to  type  in  the  same 
key  or  password  on  every  wireless  com¬ 
puter  you  want  to  use.  That  configuration 
makes  wireless  computing  a  whole  lot 
less  convenient  to  use  in  practice— and  as 
a  result,  people  leave  WEP  disabled. 

Without  encryption,  there’s  nothing 
to  prevent  a  hostile  computer  user  from 
hooking  up  with  your  access  point  and 
scoping  out  your  internal  network.  Any 
intranet  pages,  file  shares  or  other  serv¬ 
ices  on  your  network  that  aren’t  protected 
by  passwords  are  then  wide  open.  An 
attacker  might  even  use  your  company’s 
Internet  connection  to  send  out  spam. 

An  attacker  that  can  use  your  wireless 
LAN  can  also  listen  in  on  the  other  wire¬ 
less  conversations  taking  place.  Last 
spring,  a  Boston-area  business  was  bro¬ 
ken  into  by  an  attacker  who  sniffed  the 
CEO’s  password  using  a  wireless  LAN. 
The  attacker  then  connected  to  the  com¬ 
pany’s  Microsoft  Exchange  server  and 
proceeded  to  download  all  the  CEO’s  e- 
mail.  Messages  about  current  and  pend¬ 
ing  business  deals  eventually  ended  up  on 
a  website— ultimately  costing  the  com¬ 
pany  more  than  $10  million. 

Such  eavesdropping  is  even  more  of  a 
problem  for  people  using  wireless  “hot 
spots”  like  those  popping  up  at  Starbucks 
coffee  shops,  conferences  and  many  uni¬ 
versities.  By  design,  these  hot  spots  do 
not  use  encryption.  That  means  that  any 
traffic  sent  over  the  network  by  one  lap¬ 
top-toting  Starbucks  customer  can  be 
eavesdropped  by  another. 

I  proved  this  point  somewhat  dramat¬ 
ically  last  fall  at  the  PoplTech  technology7 


Without  encryption,  there’s  nothing 
to  prevent  a  hostile  computer  user  from 
hooking  up  with  your  access  point  and 
then  scoping  out  your  internal  network. 


58  www.csoonline.com  January  2003 


The  horror  stories  often  leave 


readers  thinking  that  there’s  no  way  to 
secure  wireless  technology.  In  fact, 
nothing  could  be  further  from  the  truth. 


conference.  I  had  just  upgraded  my  laptop 
to  MacOS  10.2  and  was  curious  about  the 
improvements  that  Apple  had  made  to 
the  wireless  LAN  system.  So  I  opened  up 
a  window  and  started  running  the  “tcp- 
dump”  program— a  built-in  packet  sniffer 
that  comes  standard  with  every  copy  of 
MacOS  version  10.  A  few  seconds  later, 
my  window  was  filled  with  packets  that 
were  whizzing  back  and  forth  through  the 
area— mostly  from  other  people  in  the 
audience  who  were  browsing  the  Web  or 
checking  their  e-mail.  Personal  e-mail, 
professional  correspondence,  computer 
passwords  and  whatever  else  was  being 
sent  over  their  wireless  work— it  was  all 
there.  Amazing. 

Sniffable  passwords  and  e-mail  mes¬ 
sages  weren’t  the  only  security  problems 
to  be  found.  Many  of  the  high-powered 
corporate  executives  in  the  audience  had 
a  directory  or  an  entire  hard  drive  that 
their  laptop  was  sharing  with  the  net¬ 
work.  I  decided  against  checking  any  of 
those  file  shares  to  see  if  I  could  read  the 
files  without  providing  a  password. 

The  horror  stories  like  that  one  often 
leave  readers  thinking  that  there  is  no 
way  to  secure  wireless  technology.  In  fact, 
nothing  could  be  further  from  the  truth. 
While  many  of  the  laptop-wielding  con¬ 
ference  attendees  were  literally  airing 
their  confidential  information,  others 
were  completely  protected.  That’s  because 
they  were  using  encryption  to  form  a  cryp¬ 
tographic  barrier  between  my  laptop  and 
their  information.  But  here’s  the  critical 
point:  The  others  weren’t  using  the  WEP 
encryption.  They  were  using  other  encryp¬ 
tion  protocols  such  as  SSL  and  IPsec— 
two  protocols  that  are  commonly  used  to 
secure  webpages,  e-mail  and  other  infor¬ 
mation  sent  across  the  Internet. 

Indeed,  whenever  I  download  my 
e-mail,  I  use  SSL,  the  so-called  secure 
sockets  layer.  SSL  made  its  debut  more 
than  seven  years  ago  as  a  tool  to  protect 


credit  card  numbers  used  to  buy  things 
online.  But  SSL  also  does  a  great  job  pro¬ 
tecting  e-mail  passwords  and  the  con¬ 
tents  of  mail  messages.  These  days  SSL  is 
built  into  most  e-mail  clients,  including 
Outlook,  Outlook  Express,  Netscape  and 
even  Apple  OS  X  Mail. 

Sadly,  most  ISPs  don’t  make  SSL  avail¬ 
able  to  their  customers  because  SSL 
places  a  higher  load  on  the  ISP’s  servers. 
I  avoid  that  problem  by  running  my  own 
servers  and  making  sure  that  those 
servers  are  equipped  with  SSL. 

Many  businesses  don’t  bother  with 
SSL  on  their  internal  networks,  but  they 
do  use  IPsec  or  other  virtual  private  net¬ 
work  (VPN)  protocols  for  letting  mobile 
workers  tunnel  through  the  firewall  to 
access  the  company’s  internal  mail 
servers  and  intranet.  In  many  ways,  that’s 
a  fine  compromise.  The  firewall/VPN 
combination  protects  the  company’s  crit¬ 
ical  servers  from  hostile  outsiders,  while 
the  VPN  encrypts  all  of  the  mobile  user’s 
data  so  that  it  can’t  be  spied  upon. 

The  problem  with  relying  on  firewalls 
and  VPN,  however,  is  that  they  encourage 
poor  internal  security  practices— think¬ 
ing  that  the  network  is  safe,  administra¬ 
tors  don’t  require  the  use  of  encryption  for 
passwords  or  e-mail.  File  shares  are  left 
unprotected— after  all,  only  people  inside 
the  company  have  access  to  them,  right? 
Alas,  these  are  the  same  practices  that 
can  be  exploited  when  somebody  sets  up 
a  wireless  access  point  inside  a  company. 

Good  operational  security  procedures 
can  go  a  long  way  toward  minimizing  such 
risks.  If  you  always  treat  your  network  as 
if  there  were  some  hostile  eavesdropper, 
you’ll  be  better  prepared  for  those  times 
when  there  actually  is  one.  ■ 

Simson  Garfinkel,  CISSP,  is  a  technology  writer  based 
in  the  Boston  area.  He  is  also  CTO  of  Sandstorm  Enter¬ 
prises,  an  information  warfare  software  company.  He 
can  be  reached  at  machineshopQcxo.com. 


Dye  iknother  Day 

Stepping  from  the  purely  digital  world  into  the 
physical....  In  1998,  Guilford  Jones,  a  photochemistry 
expert  at  Boston  University's  photonics  center,  took 
$5  million  in  grant  money  from  the  Department  of 
Defense  and  created  a  glowing  dye.  Here’s  the 
egghead  explanation  of  Jones’  work:  He  created  a 
glowing  dye  with  a  time  element  whose  wavelength 
can  be  measured;  the  dyes  have  unique  spectral  sig¬ 
natures  that  are  difficult  to  back-engineer.  (And 
here’s  the  layman’s  translation:  These  dyes  are  nearly 
impossible  to  counterfeit.) 

Mix  the  dye  into  ink  and  then  imprint  it  on  plastic, 
paper  or  foil,  and  voila — you  have  a  unique  identifica¬ 
tion  technique.  Dye-injected  bar  codes  can  be  put  into 
product  labels  to  manage  supply  chains  and  to  ensure 
counterfeit  protection  and  channel  management,  and 
to  provide  delivery  information. 
PhotoSecure  is  the  Boston- 
based  spinoff  company  that 
aims  to  commercialize  the  tech¬ 
nology  “to  shield  against  brand 
larceny,  channel  diversion  and 
document  fraud.”  PhotoSecure 
supplies  handheld  readers 
($300  each)  that  can  read  the 
glowing  bars  for  immediate 
authentication.  Pharmaceutical 
companies  are  particularly  inter¬ 
ested  in  this  technology  to  prevent  counterfeiting  and 
diversion  of  drugs,  a  $20  billion  black  market  in  the 
United  States,  according  to  PhotoSecure  President 
and  CEO  David  Phillips.  The  company  also  cites 
designer  clothing,  handbags  and  luggage  as  frequent 
knockoff  victims.  Channel  diversion  refers  to  things 
like  brand-name  consumer-packaged  goods  that  are 
stolen  from  manufacturing  plants  or  delivery  trucks 
and  sold  on  the  black  market. 

Down  the  road,  Phillips  envisions  other  possible 
uses  including  verification  of  passports,  aircraft  parts, 
computer  peripherals  and  so  on.  The  company  is 
also  working  with  government  departments  such  as 
the  FBI  to  provide  enhanced  security  for  federal 
workers  and  to  ensure  the  authenticity  of  government 
documents. 

If  you’re— forgive  us— dying  to  know  more,  check 
the  website  at  www.photosec.com. 

-Kathleen  S.  Carr 


January  2003  www.csoonline.com  59 


Taming  the 
Wolf  in  You 


Technology  is  only  skin  deep.  When  it  comes  to  a  solid 
security  approach,  it’s  what's  on  the  inside  that  counts. 

By  Anonymous 


WAS  A  TEENAGE  SECURITY  WEREWOLF. 

Well,  loosely  speaking,  anyway.  I  wasn’t  really  a  teenager.  But  when  it  came  to 
security,  I  was  young  and  naive  and  all  about  the  technology. 

And  then  one  day  I  had  an  epiphany:  I  realized  that  sometimes  what  I  con¬ 
sidered  to  be  an  unacceptable  security  practice  could  still  be  an  acceptable 
business  risk.  It  isn’t  important,  really,  how  I  got  there.  I  finally  realized 
I  had  been  missing  the  point,  attempting  to  throw  the  latest  and  great¬ 
est  technolog}'  solutions  at  the  security  issues  I  had  identified.  And  I  g 
began  to  see  that  it  was  impossible  to  assess  a  company’s  security  pro¬ 
gram  without  understanding  its  culture  and  how  the  business 
management  processes  evolved  within  it. 

Now,  maybe  that’s  not  news  to  most  people.  But  to 
me,  it  was  a  revelation  that  rocked  my  world.  So  I  set 
off  to  transform  myself  from  a  technology  were¬ 
wolf  to  a  more  sophisticated  security  manager— 
a  true  career  enhancement  decision. 

Reality  set  in  on  day  one  of  my  new  job  when 
I  sat  down  -with  my  security  staff  and  outlined 
how  we  were  going  to  review  policies,  practices 
and  guidelines  surrounding  our  security  capa¬ 
bilities.  We  would  take  the  organization’s  enter¬ 
prise  security  architecture  to  new  heights.  If  the 
company’s  security  architecture  was  at  level  six, 
we’d  make  it  a  seven.  Or  even  an  eight.  I  discovered 
pretty  quickly  that,  when  it  came  to  security’  planning, 
my  new  company  was  really  back  at  square  one. 

I  should  have  guessed  it  right  away.  I  remember  worry¬ 
ing  that  something  was  missing  during  corporate’s  10-hour 
new-hire  orientation  program.  I  didn’t  hear  anything  on  computer  secu¬ 
rity,  let  alone  information  technology  in  general.  IT  was  simply  not  on  the  radar. 

Digging  deeper,  I  learned  from  the  IT  guys  that  the  servers  were  “locked  down,” 
which  gave  the  company  the  false  notion  that  it  was  operating  in  a  secure  envi¬ 
ronment.  The  proverbial  honeymoon  was  over  before  it  even  started. 

Still,  I  was  determined,  so  I  set  out  to  transform  the  psyche  of  my  new  company, 
convincing  it  that  IT  security  has  to  start  with  understanding  the  business  needs 
and  then  developing  a  strategy  to  address  those  needs. 


Now,  what  we’re  all  so  fond  of  calling  best  practices  can 
often  be  generic  and  unspecified  recommendations  from 
vendors  or  outside  authorities  that  don’t  really  under¬ 
stand  the  details  of  individual  business  needs.  True  best 
practices— whether  security-specific  or  not— come  from 
within.  You  need  to  understand  how  the  business  man¬ 
agement  processes  evolved  before  you  can  prescribe  any 
suggested  practices. 

Likewise,  security  compliance  must  come  from  within. 
My  new  company  had  been  basing  its  security  criteria  on 
the  assumptions  of  outside  “authorities”  rather  than  on 
what  was  actually  happening  within  the  business.  But 
until  you  get  a  solid  security  policy  in  place,  your  organ¬ 
ization  cannot  even  begin  to  communicate  or  implement 
security  expectations,  let  alone  train  employees.  With¬ 
out  a  core  security  program,  there  is  no  compliance  to 
security  because  there  is  nothing  with  which  to  comply. 

As  I  see  it  now,  there  are  four  main  beasts  that  may 
misalign  any  security  program: 

No  senior  management  support.  Even  if 
programs  appear  to  have  senior  management 
sponsorship  and  dedicated  security  budgets, 
they  won’t  be  accepted  if  employees  see  them 
as  controlling,  wasteful  and  unproductive. 

Unreasonable  directives.  Does  technology 
dictate  your  business  objectives,  or  does  your 
business  dictate  your  technology  needs? 

Lack  of  communication.  Some¬ 
times,  it’s  best  to  let  senior  manage¬ 
ment  and  users  “discover”  security 
practices. 

Limited  funding.  Budgets  are 
forever  tight.  Get  innovative.  In¬ 
stead  of  purchasing  the  learning 
management  system,  see  what 
infrastructure  already  exists. 

Once  a  security  program  is  outlined, 
you  can  use  a  consultant  to  help  develop 
specific  security  capabilities  to  enhance  it. 
Every  organization  is  different.  Its  security 
needs  will  also  differ.  Try  to  identify  and  understand  how 
the  corporate  culture  dictates,  adopts  and  evolves  security 
initiatives.  And  remember:  Communication  and  repre¬ 
sentation  are  key  factors  in  your  transformation  into  a 
successful  security  manager.  ■ 

This  column  is  written  anonymously  by  a  real  CSO  at  a  major  corporation. 
For  reader  feedback,  e-mail  us  at  csoundercover  a  cxo.com. 


60  www.csoonline.com  January  2003 


ILLUSTRATION  BY  ROB  DUNLAVEY 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


Sales  and 
Services 

CSO  Sales  Offices 

President  Walter  Manninen  •  508  935-4101 
Group  Publisher 
Gary  J.  Beach  •  508  935-4202 
Publisher  Bob  Bragdon  •  508  935-4443 
Executive  VP  Sales/Custom  Publishing 
Ellen  Romanow  •  508  935-4796 

East  Coast 

Eastern  Regional  Sales  Manager 
Paul  Reiss  •  508  935-4163 
Eastern  Regional  Account  Executive 
Kim  Forrest  •  508  935-4068 
Senior  Regional  Manager 
Kathy  Powers  •  973  244-4041 

Midwest 

Regional  Director 
Robert  E.  Sawdon  •  512  306-9801 
Regional  Sales  Manager 
Christopher  Nolan  •  847  441-5005 

West  Coast 

Western  Regional  Sales  Manager 
Mary  Sinclair  •  415  975-2691 
Senior  Regional  Manager 
Jane  Evans  •  415  975-2680 
Regional  Manager 
Ai  Collins  •  415  975-2686 
Regional  Sales  Manager 
Chris  Bramel  •  949  475-5579 

List  Services 

List  Services  Director 

Kathryn  A.W.  Marston  •  508  935-4072 

List  Services  Account  Executive 

Stephanie  Roy  •  508  935-4151 

List  Services  Coordinator 

Kim  Cormican  •  508  935-4152 

Online  Services 

VP/Online  Sales 

Lisa  Brown  •  508  935-4470 

Online  Sales  Mgr. 

Michael  McPhee  •  508  935-4611 

Custom  Publishing 

Group  Director  Michael  Siggins 
Director  Mary  Gregory 
Director  of  Content  Development 
Tom  Field 

Project  Manager  Amy  Greenleaf 
Graphic  Designer  Chris  Brown 


Production 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Lee  Tuttle 
Senior  Production  Coordinator 
Lisa  Stevenson 

Executive  Programs 

Senior  Vice  President  Ronald  L.  Milton 

Conference  Management  VP 

Cynthia  Moilus 

Marketing  Services  Director 

Shellie  Rapson  James 

Director  of  Sales  John  Amato 

Program  Operations  Manager  Brian  Fuce 

Conference  Program  Manager  Randy  Levy 

Marketing  Manager  Glede  Kabongo 

Event  Development  Specialist 

Sandra  J,  Hughey 

Operations  Coordinator  Michael  Barbato 
Fulfillment  Services  Coordinator 
Andrea  Slobogan 

Event  Planning  Manager  AmyTurell 

Marketing 

Executive  VP/Marketing 
Cathy  O'Leary  Hayes 

VP/News  and  Information  Susan  Watson 
Media  Relations  Manager  Karen  Fogerty 
News  and  Information  Associate 

Lori  Piscatelli 

Marketing  Research  Director 
Bridget  Cammarata 
Marketing  Research  Manager 
Carolyn  Johnson 
Sr.  Marketing  Research  Analyst 
Dylan  DiGregorio 

Marketing  Comm.  Director  Sue  Yanovitch 
Sr.  MarCom  Development  Specialist 

Kari  Curto 

Marketing  Comm.  Associate 
Sarah  Crowley 

Circulation 

Senior  VP/Circulation  Carol  A.  Spach 
Circulation  Director  Faith  Marcello 
Subscription  Svcs.  Supervisor  Tina  Pescaro 

Reprint  Services 

For  article  reprints,  please  contact  Reprint 
Services  at  651  582-3800  or  e-mail 
csoreprints@reprintservices.com. 

For  further  sales  information,  visit 
www.csoonline.com/marketing/sales.html. 


CSO  Contact 
Information 

Editorial,  Advertising  and  Business  Offices 

492  Old  Connecticut  Path.  P.O.  Box  9208, 
Framingham,  MA  01701-9208,  508  872- 
0080. 

Postal  Information 

CSO  (ISSN  1540-904x)  is  published 
monthly  by  CXO  Media  Inc.,  492  Old  Con¬ 
necticut  Path,  P.O.  Box  9208,  Framingham, 
MA  01701-9208.  Application  to  mail  at  Peri¬ 
odicals  postage  rate  is  pending  at  Framing¬ 
ham,  MA  01701,  and  at  additional  mailing 
offices.  Canadian  Publications  Mail  agree¬ 
ment  number  1902075.  CANADIAN  POST¬ 
MASTER:  Please  return  undeliverable  copy 
to  P.O.  Box  1632,  Windsor,  ON  N9A7C9. 

Permissions 

Copyright  2003  by  CXO  Media  Inc.  All  rights 
reserved.  Reproduction  of  material  appear¬ 
ing  in  CSO  is  forbidden  without  written  per¬ 
mission.  Send  all  requests  to  Permissions 
Department.  CSO,  492  Old  Connecticut 
Path,  P.O.  Box  9208,  Framingham,  MA 
01701-9208. 

Photocopy  Rights 

Permission  to  photocopy  for  internal  or  per¬ 
sonal  use  or  the  internal  or  personal  use  of 
specific  clients  is  granted  by  CSO  for  users 
through  the  Copyright  Clearance  Center, 
provided  that  the  base  fee  of  $3  per  copy 
of  the  article,  plus  $.50  per  page  is  paid 
directly  to  Copyright  Clearance  Center,  27 
Congress  Street,  Salem,  MA  01970.  Please 
specify:  ISSN  1540-904x.  Permission  to 
photocopy  does  not  extend  to  contributed 
articles  followed  by  this  symbol:  $. 

Subscriptions 

Address  inquiries  to  CSO.  P.O.  Box  3482, 
Northbrook,  IL  60065;  866  354-1125.  CSO 
is  free  to  qualified  information  executives. 

To  all  others  the  one-year  basic  rate  is  $90 
for  the  United  States  and  Canada,  $115  to 
foreign  countries  (payable  in  U.S.  funds 
only).  The  single  copy  price  is  $9.  Please 
allow  four  to  six  weeks  for  new  subscrip¬ 
tions  to  begin. 

Change  of  Address 

Please  go  to  www.omeda.com/custsrv/cso 
and  follow  the  online  instructions. 

Postmaster 

Send  change  of  address  to  CSO,  P.O.  Box 
3482,  Northbrook,  IL  60065.  Printed  in  the 
USA. 


Index  of 
Companies  and 
Advertisers 

Page  numbers  refer  to  the  first  page  of 
the  article(s)  in  which  the  company  is 
mentioned.  This  index  is  provided  as  a 
service  to  readers.  The  publisher  does  not 
assume  any  liability  for  errors  or  omissions. 


Company  Index 

Accenture  . 62 

Avon  Products  . 26 

Citizens  Financial  Group  Inc . 34 

Computer  Sciences  Corp . 34 

Data  Security  Auditors  . 44 

Deloitte  &  Touche  LLP  . 34 

Direct  Measures  international  Inc . 13 

HNC  Software  Inc . 34 

KPMGLLP  . 26 

Massachusetts  Mutual  Life 

Insurance  Co . 34 

MasterCard  International  Inc . 34 

Metropolitan  Life  Insurance  Co . 22,  34 

PacifiCorp  . 44 

PhotoSecure  Inc . 57 

PivX  Solutions  LLC  . 13 

Providence  Health  Plan  . 44 

Razorpoint  Security  Technologies  Inc.  .  .44 
Rochester  Health  Care 

Information  Group  . 44 

ScottishPower  . 44 

Solutionary  Inc . 34 

Swivel  Technologies  LTD  . 57 

Wachovia  Bank  N.A . 44 

World  Bank  Group  Inc . 34 

Advertiser  Index 

Aladdin  Knowledge  Systems  . 9 

BearingPoint  Inc . 7 

Check  Point  Software  . C2 

Cisco  Systems  Inc . 25 

Computer  Associates  Inti.  Inc . 5,  54 

CXO  Media  Inc . 21,  41,  42 

CyberGuard  Corp . C3 

GROUP  . 29,  31 

Information  Systems  Audit 

and  Control  Assoc . 12 

Intel  . 19 

Intense  School  . 49 

NetlQ  Corp . C4 

Nokia  . 32 

Psynapse  Technologies  . 23 

SecureLogix  Corp . 56 

Symantec  Corp . 2 


January  2003 


www.csoonline.com  61 


debriefing 


Kilgore  was  here 


Junk  Food  for  Thought 


David  Kilgore  Black  might  well  be  a 

hacker  today,  if  he  weren’t  brought  up  the 
right  way.  Alas,  Mr.  Black’s  parents  did  well, 
and  now  he’s  senior  manager  of  global  secu¬ 
rity  technologies  at  Accenture.  But  there  is  a 
scheming  side  to  Black,  a  guy  who  not  only 
appreciates  hacking,  but  admires  it.  Often 
he  finds  himself  looking  around  his  environs 
to  see  who,  or  what,  he  could  scam  if  he 
wanted  to.  Lately,  he  hasn’t  had  to  go  much 
farther  than  the  kitchen.  Black  recently 
wrote  a  short  paper  on  the  notably  strong 
connection  between  junk  food  and  hacking. 

In  the  paper,  he  cites  the  now-famous 
Pringles-can  antenna  used  to  amplify  (and 
intercept)  802.11  wireless  signals.  He  cites 
the  Gummi  Bear  fingerprint  ruse  to  fool 
biometric  readers.  And  he  recalls  the  ol’ 
Cap’n  Crunch  toy-whistle  ploy  from  the  70s, 
in  which  said  whistle  found  in  cereal  boxes 
could  rig  the  phone  system  for  long-distance 
calls.  CSO  caught  up  with  Black  to  ask  him 
about  the  potential  nefarious  uses  of  jelly 
doughnuts  and  Cheetos. 

CSO:  You  were  in  show  business  before  this, 
doing  off-broadway,  soap  operas  and  movie 
extra  bits.  How’d  you  come  into  security? 

Black:  In  the  first  years  of  my  marriage,  we 
were  always  taking  trains  from  New  York  to 
New  England.  They’d  give  us  a  seat  check, 
color-coded  to  identify  your  stop.  Green  was 
New  Haven,  red,  Providence.  I  thought  it 
would  be  perfectly  easy  to  get  on  this  train 
and  grab  someone’s  seat  check.... 

So  you  and  your  wife  freeioaded? 

No.  Honesttogodldidn’t!  But  I  loved 
thinking  about  it.  I  loved  reading  about 
the  scams  in  Steal  This  Book  [by  Abbie 


Hoffman],  At  some  point  my  wife  suggested 
maybe  acting  wasn't  my  call  but  computer 
security  was. 

You  said  you  wrote  this  paper  because  you 
were  looking  for  something  funny  to  write. 
Why?  Everyone  knows  security  guys  don’t 
have  a  sense  of  humor. 

We  do  have  a  sense  of  humor,  but  it's  a 
devious  sense  of  humor.  We're  passionate 
about  what  we  do;  it’s  not  just  a  job  and,  no 
matter  what  anybody  says  in  this  business, 
if  they  were  brought  up  wrong,  they'd  go  the 
other  way.  I  have  said  more  than  once  after 
a  successful  penetration  test,  I  can't  believe 
I  get  paid  to  do  this. 


Should  the  Food  and  Drug  Administration  be 
put  in  the  Department  of  Homeland 
Security? 

Maybe  the  Consumer  Product  Safety 
Commission.  Who’s  monitoring  the  "toys" 
they  put  in  Cracker  Jacks? 

How  can  we  use  that  classic  hacker  food 
group,  pizza,  as  a  hacking  tool? 

The  Gummi  Bear  fingerprint  was  a  great 
leap  forward  because  it  used  the  food  stuff 
and  not  the  packaging.  Pizza,  I  don’t  know. 
Maybe  the  box  has  some  use. 

You  also  said  in  your  paper  you  hope  they 
come  up  with  a  hack  that  involves  12-year- 
old  Scotch  Whiskey.  The  last  time  we  did 
this  [see  Debriefing,  October  2002],  our 
interviewee  talked  about  “cocktail  viruses.” 
We  notice  a  trend. 

Did  you  hear  they’re  working  on  a  methane 
battery?  If  I  were  on  a  plane,  I  could  ask 
for  one  of  those  nips  of  vodka  to  get  through 
my  e-mail. 

What  else  did  you  learn  researching  your 
incredibly  important  paper? 

I  learned  that  with  the  phone  phreaking  in 
the  70s,  the  hackers  would  route  a  call 
from,  let’s  say,  Cincinnati  to  Nashville,  back 
to  Cincinnati,  to  Nashville,  to  Seattle,  to 
Austin.  And  they  would  hear  this  lengthy 
series  of  clicks  and  pops.  And  they'd  end 
up  calling  the  room  next  to  them. 

Those  crazy  kids.  Maybe  they  need  to  get 
a  life? 

Oh,  they  have  a  life.  At  least  they’re 
passionate.  I  love  that  they  still  have  this 
hobbyists’  ortinkerers’  mentality.  It’s  like 
ham  radio  30  years  ago.  It’s  from  that 
tinkerers’  eccentricity  that  great  ideas 
are  born. 

Like  vodka  batteries? 

What  I  find  interesting  is  that  the  whole 
argument  for  longer-lasting  batteries  is 
about  jamming  more  energy  into  the  same 
amount  of  space,  which  is  exactly  the 
theory  of  dynamite. 

Back  to  the  pizza.  There  must  be  something 
in  the  cheese  we  can  use? 

Probably  methane.  ■ 


62  www.csoonline.com  January  2003 


ILLUSTRATION  BY  PATRICK  MEREWETHER 


"There  were  several  factors  that  went  into  our  decision  to 
choose  CyberGuard.  Chief  among  these  was  its  proven 
secure  track  record.  Independent  data,  reports  and  evaluations 
also  revealed  the  product's  overall  excellence.  And  we  were 
particularly  gripped  by  its  hardened  OS,  powerful  VPN  and 
obvious  rock  solid  security. 

"The  Internet,  with  its  continuous  connections,  acts  as  a 
doorway  directly  into  your  office.  It  offers  a  way  out  to  the  world 
and,  more  importantly,  a  way  in  for  the  world.  At  our  firm,  we 
maintain  and  store  confidential  and  privileged  materials,  as  well 
as  trade  secret  information.  As  a  result,  we  could  not  risk 
choosing  a  product  with  any  vulnerability  when  we  undertook 
steps  to  secure  our  office  and  valuable  information.  Frankly, 
knowledge  of  any  vulnerability  alone  is  enough  to  stick  you  with 
legal  liability. 

"Faced  with  the  prospect  of  having  to  spend  $10,000  to  $12,000 
to  get  the  quality  and  performance  in  this  caliber  of  a  product, 
you  also  need  to  weigh  the  potential  legal  liability.  In  our 
opinion,  one  breach  could  expose  any  company  to  millions  in 
liability.  And  that  was  not  a  risk  we  wanted  to  take." 

CyberGuard's  security  solutions  are  found  in  Global  2000 
companies  and  governments  worldwide.  CyberGuard's  award¬ 
winning,  premium  firewallA/PN  appliances  maintain  complete 
separation  of  network  traffic  from  system  components. 


Common 
Criteria 


<sa^>EAL4+ 
CERTIFIED 


Jonathan  Franklin 

Trial  lawyer 


Jonathan  Franklin,  P.A.,  a  boutique  law  firm  based  in 
Miami,  Florida,  represents  corporate  clients  around  the 
country.  The  firm  specializes  in  product  liability  and  tort 
law. 


Rock 

eSolld 

Security 


Firewall/UPN  Appliances 

For  white  papers  on  Rock  Solid  Security  go  to: 
www.cyberguard.com/ROCKSOLID/home.cfm 
Phone:  954.958.3878  •  e-mail:  info@cyberguard.com 


CYBERG1ARD' 


WORLDWIDE 

DEFEND  YOUR  DOMAIN 


Copyright  2002  CyberGuard  Corporation.  All  rights  reserved 


Krizi  Trivisani,  Information  Security  Officer,  The  Geo 


Washington  University 


and  get  control  of  your  enterprise  security  with  NetlQ! 


Policy  &  Administration 
Compliance  &  Identity 
/lanagement  Management 


Vulnerability  & 

Configuration 

Management 


&B/ent 

Management 


As  Information  Security  Officer  for  The  George  Washington  University  in  Washington,  DC, 
Krizi  Trivisani  is  responsible  for  getting  more  than  30,000  students,  employees  and  faculty  to 
comply  with  their  security  policies  every  day.  VigilEnt  Integrated  Security  Management 
Solutions  from  NetlQ  make  it  so  much  easier  to  automate  and  control  policy  compliance,  free¬ 
ing  her  staff  to  work  on  other  priorities.  NetiQ's  VigilEnt  Integrated  Security  Management 
Solutions  provide  the  only  cost-effective  way  to  secure  your  business  by  helping  you  enforce 
security  policies,  efficiently  administer  users,  minimize  vulnerabilities,  and  prevent  intru¬ 
sions— optimizing  the  administration  and  protection  of  information  assets  throughout  your 
enterprise.  Be  like  Krizi,  and  get  control  of  your  enterprise  security.  Get  VigilEnt! 

Put  VigilEnt  Integrated  Security  Management  Solutions  from  NetlQ  to  work  for  you. 


Only  NetlQ  offers  this  comprehen¬ 
sive  suite  of  security  management 
solutions  for  your  network. 


Discover  for  yourself  how  NetiQ's  VigilEnt  Integrated  Security  Management  Solutions  are 
unmatched  in  the  security  industry.  Visit  our  web  site  at  www.netiq.com  to  download  a  FREE 
product  trial,  or  our  FREE  White  Paper:  "Enterprise  Security:  Moving  From  Chaos  to  Control 
with  Integrated  Security  Management  from  NetlQ". 


S  Kevin  Mitnick  LIVE  and  Unplugged!  Join  Kevin  Mitnick  and  a  panel  of 
experts  for  our  live  webcast,  February  18,  and  learn  how  you  can  make  people 
your  company's  first  line  of  defense.  Register  today  at  www.netiq.com/chaos 


Q  netQj} 

•  Work  Smarter, 


©  2003  NetlQ  Corporation,  all  rights  reserved.  VigilEnt,  NetlQ,  and  the  NetlQ  logo  are  trademarks  or  registered 
trademarks  of  NetlQ  Corporation  or  its  subsidiaries  in  the  United  States  and  other  jurisdictions.  All  other  com¬ 
pany  and  product  names  may  be  trademarks  or  registered  trademarks  of  their  respective  companies. 


